Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates

Summary Kimai's Twig sandbox StrictPolicy, used for admin-uploaded invoice and export templates allow-lists the config Twig function with no key filtering. configname delegates to App\Configuration\SystemConfiguration::find$name, which returns arbitrary entries from the flattened kimai.config...

Kimai leaks API Token Hash via Invoice Twig Template

Summary The Twig sandbox used for invoice templates blocks certain sensitive User methods password, TOTP secret, etc. via a blocklist in StrictPolicy::checkMethodAllowed. However, getApiToken and getPlainApiToken are not on the blocklist. An admin who creates an invoice template can embed calls t...

OpenClaw has web_search citation redirect SSRF via private-network-allowing policy

Summary Gemini websearch citation redirect resolution used a private-network-allowing SSRF policy. A citation URL redirect could target loopback/private/internal destinations and be fetched by the gateway. Impact An attacker who can influence citation redirect targets could trigger internal-netwo...

Keybase: SMTP protection not used

Hi I'm checking your website found spf record there. You should apply strict SMPT policy to stop spoofed email sending from your domain. An attacker would send a Fake email from [email protected] saying that Please change your password, The victim is aware of phishing attacks, But when he sees...