openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized variables

A flaw was found in the OpenSSH GSSAPI Generic Security Service Application Program Interface delta patches, as included in various Linux distributions. A remote attacker could exploit this by sending an unexpected GSSAPI message type during the key exchange process. This occurs because the...

GHSA-VRXF-VRC4-22P7 FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint

Summary An unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables including any database...

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via the Installer process. An attacker can access sensitive server configuration, environment variables, filesystem paths, and loaded PHP extensions by sending an unauthenticated GET request with the phpinfo parameter...

FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint

Summary An unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables including any database...

Malicious code in camelotlabs-core (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

inngest-js 信息泄露漏洞

Inngest-js is an open-source framework developed by Inngest, designed to support various serverless platforms. It serves as a reliable event-driven and background task execution framework. Versions 3.22.0 to 3.53.1 of Inngest-js contain a vulnerability related to information leakage. This...

Malicious code in camelotlabs-utils (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

PT-2026-38616

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to v2026 Description An unauthenticated information disclosure issue in the Installer controller allows a remote attacker to trigger the phpinfo function on a fresh deployment. By requesting the endpoint "/" with...

Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vfp4-8x56-j7c5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environmen...

Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hxvm-xjvf-93f3. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW runtime-control environment namespace in workspace...

GHSA-XRGF-R9GR-JJJF Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vfp4-8x56-j7c5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environmen...

EUVD-2026-28194

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAWGITDIR to manipulate trusted OpenClaw runtime behavior...

GHSA-9R9J-3R2W-FG3V Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hxvm-xjvf-93f3. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW runtime-control environment namespace in workspace...

CVE-2026-44114

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAWGITDIR to manipulate trusted OpenClaw runtime behavior...

CVE-2026-43584

OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUAINIT, and HOSTALIASES. Attackers can exploit this by...

MAL-2026-3355 Malicious code in playwright-atoned (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 250795bc04569c6f87e372e4b6bed019148a1c78f4357e8e430c1865acfead07 The package exfiltrates sensitive data like local environmental variables and cloud tokens --- Category: MALICIOUS - The campaign has clearly malicious intent,...

Malicious code in playwright-atoned (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 250795bc04569c6f87e372e4b6bed019148a1c78f4357e8e430c1865acfead07 The package exfiltrates sensitive data like local environmental variables and cloud tokens --- Category: MALICIOUS - The campaign has clearly malicious intent,...

CVE-2026-44114 OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAWGITDIR to manipulate trusted OpenClaw runtime behavior...

CVE-2026-44114

OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAWGITDIR to manipulate trusted OpenClaw runtime behavior...

CVE-2026-44114

OpenClaw prior to version 2026.4.20 contains a namespace reservation flaw in workspace dotenv handling: OPENCLAW_ runtime-control variables are not properly reserved, allowing a malicious workspace to override critical runtime variables (e.g., OPENCLAW_GIT_DIR) and influence source-update or inst...