Matrix Rust SDK: Sender-binding gaps in to-device and room-key attribution

Impact The matrix-sdk-crypto crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the senderdevicekeys property. This could be exploited to spoof the sender of an encrypted to-device message, but only if the attacker collude...

CVE-2026-32039

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutab...

CVE-2026-32231 ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data

ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields sender, chatid from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled authtoken: None, an...

GHSA-WPPH-CJGR-7C39 OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass

Summary channels..groups..toolsBySender could match a privileged sender policy using a colliding mutable identity value for example senderName or senderUsername when deployments used untyped keys. The fix introduces explicit typed sender keys id:, e164:, username:, name:, keeps legacy untyped key...

OpenClaw has an unspecified vulnerability (CNVD-2026-13383)

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that stems from the fact that under iMessage groupPolicy=allowlist, the identity of the sender from the DM pairing store can satisfy the group authorization, which can be exploited by an...

CVE-2026-27484

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

CVE-2026-27484

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

CVE-2026-27484

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

CVE-2026-27484

OpenClaw (npm openclaw) versions 2026.2.17 and earlier are vulnerable: moderation actions (timeout, kick, ban) incorrectly use sender identity from request parameters in tool-driven flows instead of trusted runtime sender context. This allows a non-admin user, in setups where moderation actions a...

CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

OpenClaw 安全漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw has a security vulnerability that originates in the Discord audit operation processing using the sender's identity in the request parameters, which can be exploited by an attacker to request an audit operation by...

OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

Overview Discord moderation action handling timeout, kick, ban used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. Impact In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin...

EUVD-2006-5446

Malware in sbrugna...

EUVD-2004-2633

Malware in sbrugna...

CVE-2025-50340

An Insecure Direct Object Reference IDOR vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated...

PiMRef: Detecting and Explaining Ever-Evolving Spear Phishing Emails with Knowledge Base Invariants

Phishing emails are a critical component of the cybercrime kill chain due to their wide reach and low cost. Their ever-evolving nature renders traditional rule-based and feature-engineered detectors ineffective in the ongoing arms race between attackers and defenders. The rise of large language...

SUSE CVE-2006-5461

Avahi before 0.6.15 does not verify the sender identity of netlink messages to ensure that they come from the kernel instead of another process, which allows local users to spoof network changes to Avahi...

Email Sender Identity is Key to Solving the Phishing Crisis

Email is in crisis. Despite massive advancements in perimeter and endpoint defenses, email remains a cybersecurity weak link for many companies. Why? Email is at the heart of everything we do online. It’s an essential line of communication for one-on-one and group conversations, both...

Signal Secure Messaging App Now Encrypts Sender's Identity As Well

Signal, the popular end-to-end encrypted messaging app, is planning to roll out a new feature that aims to hide the sender's identity from potential attackers trying to intercept the communication. Although messages send via secure messaging services, like Signal, WhatsApp, and Telegram, are full...

Ubuntu 5.10 / 6.06 LTS / 6.10 : avahi vulnerability (USN-380-1)

Steve Grubb discovered that netlink messages were not being checked for their sender identity. This could lead to local users manipulating the Avahi service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has...