CVE-2026-42193 Plunk: SNS webhook forgery

Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhoo...

PT-2026-38031

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s EdDSA signing checks...

GHSA-9HMG-827W-9RHJ nuts-node has JWT type confusion in v1 access token introspection that allows VP replay as access token

Summary The v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation VP JWT to be replayed as an access token and...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant developed under the OpenClaw open source framework. Versions of OpenClaw prior to 2026.3.28 contained security vulnerabilities. These vulnerabilities were caused by a Webhook replay issue during Plivo V3 signature verification. This issue could allo...

GHSA-36CP-MH65-X882 Duplicate Advisory: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rm59-992w-x2mv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handlin...

EUVD-2026-21110

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassi...

Duplicate Advisory: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rm59-992w-x2mv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handlin...

CVE-2026-35626

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassi...

CVE-2026-35626 OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassi...

CVE-2026-35626

CVE-2026-35626 concerns OpenClaw prior to 2026.3.22, describing an unauthenticated resource exhaustion vulnerability in voice call webhook handling. The issue arises from buffering request bodies before provider signature checks, allowing attackers to send large or malformed webhook requests to e...

CVE-2026-35626 OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassi...

PT-2026-31762

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassi...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Feishu webhook handling process. An attacker can cause excessive resource consumption by sending unauthenticated requests that...

OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Summary Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

Unity Catalog 安全漏洞

Unity Catalog is an open-source multi-modal data and AI asset governance directory developed by unitycatalog. Versions of Unity Catalog prior to 0.4.0 contain security vulnerabilities; these vulnerabilities stem from authentication bypass exploits, which could allow attackers to circumvent...

CVE-2026-2625

No description is available for this CVE. Mitigation Avoid processing untrusted or attacker-controlled RPM files with rpm -Kv or rpm --checksig. Use isolated environments or additional validation layers when handling untrusted RPM artifacts...

CVE-2025-32060

The system suffers from the absence of a kernel module signature verification. If an attacker can execute commands on behalf of root user due to additional vulnerabilities, then he/she is also able to load custom kernel modules to the kernel space and execute code in the kernel context. Such a fl...

CVE-2026-25961

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification INTERNETFLAGIGNORECERTCNINVALID and executes installers without signature checks. A network attacker with any valid TLS certificate e.g., Let's Encrypt can...

sumatrapdf 安全漏洞

Sumatrapdf is an open-source PDF reader developed by SumatraPDF Reader. Versions 3.5.0 to 3.5.2 of SumatraPDF have security vulnerabilities. These vulnerabilities stem from the update mechanism disabling TLS hostname verification and failing to check the installer’s signature, which may allow...

DEBIAN-CVE-2026-23991

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository or any of its mirrors returns invalid TUF metadata JSON valid JSON but not well formed TUF metadata, the client will panic during parsing, causing a denial of...