PT-2026-31010

Name of the Vulnerable Software and Affected Versions Cosign versions prior to 3.0.6 and prior to 2.6.3 Description Cosign, a tool for code signing and transparency for containers and binaries, had a flaw in verify-blob-attestation where it could incorrectly report a successful verification...

LoLLMs 安全漏洞

LoLLMs is a large language and multimodal system personally developed by Saifeddine ALOUI. Version 2.1.0 of LoLLMs contains a security vulnerability. This vulnerability arises from the use of weak keys for signing JSON Web Tokens, leading to improper access control. This could allow attackers to...

kernel security update

4.18.0-553.117.1 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and...

kernel security update

5.14.0-611.47.1 - Disable UKI signing Orabug: 36571828 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug:...

kernel security update

6.12.0-124.49.1 - Add new Oracle Linux Driver Signing key 1 certificate Orabug: 37985782 - Disable UKI signing Orabug: 36571828 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list...

EUVD-2026-19472

SymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value to a helper function that accepts a 32-bit parameter. For XMSS^MT parameter sets with total tree height = 32 which include...

CVE-2026-35199

Summary: CVE-2026-35199 affects the SymCrypt XMSS^MT signing path in Windows. A 64-bit leaf-count is passed to a 32-bit parameter helper, causing silent truncation to zero for XMSS^MT parameter sets with total tree height ≥ 32. This leads to an undersized scratch buffer and a heap buffer overflow...

GHSA-MCWW-4HXQ-HFR3 LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...

LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...

SUSE CVE-2026-34610

The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lcx509extractnamesegment casts sizet vlen to uint8t when storing the Common Name CN length. An attacker who crafts a certificate with CN = victim's CN +...

Information Exposure

Overview @openclaw/nostr is an OpenClaw Nostr channel plugin for NIP-04 encrypted DMs Affected versions of this package are vulnerable to Information Exposure in the config.get process. An attacker can obtain sensitive plaintext signing keys by accessing configuration views that expose the secret...

Information Exposure

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Information Exposure in the config.get process. An attacker can obtain sensitive plaintext signing keys by accessing configuration views that expose the secret value. Remediation Upgrade...

OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get

Summary OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still models Nostr privateKey as plain string so config views can expose it, and the secret-schema f...

CVE-2026-34610 leancrypto: Integer truncation in X.509 name parser enables certificate identity impersonation

The leancrypto library is a cryptographic library that exclusively contains only PQC-resistant cryptographic algorithms. Prior to version 1.7.1, lcx509extractnamesegment casts sizet vlen to uint8t when storing the Common Name CN length. An attacker who crafts a certificate with CN = victim's CN +...

CVE-2026-34610

The CVE affects leancrypto's PQC-focused crypto library. Before 1.7.1, lc_x509_extract_name_segment() truncates size_t vlen to uint8_t for CN length, allowing an attacker to craft a certificate whose CN impersonates the victim’s CN during PKCS#7 verification, certificate chain matching, and code ...

CVE-2026-4947

Addressed a potential insecure direct object reference IDOR vulnerability in the signing invitation acceptance process. Under certain conditions, this issue could have allowed an attacker to access or modify unauthorized resources by manipulating user-supplied object identifiers, potentially...

CVE-2026-1579

The MAVLink communication protocol does not require cryptographic authentication by default. When MAVLink 2.0 message signing is not enabled, any message -- including SERIALCONTROL, which provides interactive shell access -- can be sent by an unauthenticated party with access to the MAVLink...

EUVD-2026-17767

Addressed a potential insecure direct object reference IDOR vulnerability in the signing invitation acceptance process. Under certain conditions, this issue could have allowed an attacker to access or modify unauthorized resources by manipulating user-supplied object identifiers, potentially...

CVE-2026-4947

Addressed a potential insecure direct object reference IDOR vulnerability in the signing invitation acceptance process. Under certain conditions, this issue could have allowed an attacker to access or modify unauthorized resources by manipulating user-supplied object identifiers, potentially...

CVE-2026-4947 Insecure Direct Object Reference (IDOR) Leading to Signature Forgery in Foxit eSign

Addressed a potential insecure direct object reference IDOR vulnerability in the signing invitation acceptance process. Under certain conditions, this issue could have allowed an attacker to access or modify unauthorized resources by manipulating user-supplied object identifiers, potentially...