30713 matches found
PT-2026-27428
Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.0 Description Langflow is susceptible to an unauthenticated remote shell injection issue in GitHub Actions workflows. The issue stems from the unsanitized interpolation of GitHub context variables, such as $...
CVE-2026-32047
Rejected reason: This CVE ID has been rejected...
CVE-2026-27183
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactl...
CVE-2026-32908
...
CVE-2026-32908
OpenClaw 2026.1.21 before 2026.2.19 contains a local command injection in the Lobster extension’s Windows shell fallback. When spawn failures trigger shell fallback with shell: true, tool-provided arguments are interpreted by cmd.exe, enabling arbitrary commands via workflow-controlled parameters...
CVE-2026-32047
...
CVE-2026-32047
OpenClaw before 2026.2.22 is affected by an allowlist bypass in system.run . Attackers can bypass shell-wrapper analysis by injecting $\ followed by a newline and ( inside double quotes, folding the payload into $(...) to execute arbitrary subcommands. This is a local, low-complexity issue with l...
CVE-2026-28455
OpenClaw vulnerable before 2026.2.22 due to an allowlist bypass in system.run exec analysis. The flaw allows attackers to route execution through wrapper binaries (e.g., env, bash) and bypass intended allowlist restrictions by failing to unwrap env and shell-dispatch wrapper chains. Affected prod...
CVE-2026-28455
...
CVE-2026-27183
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactl...
CVE-2026-27183 OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactl...
CVE-2026-27183 OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactl...
CVE-2026-27183
OpenClaw vulnerable up to 2026.3.6. The issue lies in system.run dispatch-wrapper handling where the approval classifier and execution planner use different depth-boundary rules, allowing exactly four transparent dispatch wrappers before /bin/sh -c and bypassing the shell approval gating. This mi...
EUVD-2026-14555
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactl...
CVE-2026-33648
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled usersid and liveTransmitionHistoryid values from the JSON request body without any sanitization. This log file path is then...
CVE-2026-33648
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled usersid and liveTransmitionHistoryid values from the JSON request body without any sanitization. This log file path is then...
GitHub expands application security coverage with AI‑powered detections
AI is accelerating software development and expanding the range of languages and frameworks used in modern repositories. Security teams are increasingly responsible for protecting code written across many ecosystems, not just the core enterprise languages traditionally covered by static analysis...
Exploit for OS Command Injection in Arcane
CVE-2026-23520 MCP API Remote Command Execution RCE Proo...
CVE-2026-33482 AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails ...
CVE-2026-33482
CVE-2026-33482 affects WWBN AVideo prior to 26.1 (up to 26.0) where sanitizeFFmpegCommand() fails to remove $() (bash command substitution). Since the sanitized ffmpeg command is executed in a double-quoted sh -c context, an attacker able to supply a crafted encrypted payload can achieve arbitrar...