GHSA-8XVP-7HJ6-MCJ9 GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands

Summary GitHub CLI incorrectly includes an authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. Affected users: - Authenticated github.com users who previously ran gh attestation commands, gh release verify, or...

CVE-2026-5722 MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible...

EUVD-2026-17013

OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool...

CVE-2026-32974

OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool...

CVE-2026-32974 OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token

OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool...

CVE-2026-32974

OpenClaw before 2026.3.12 contains an authentication bypass in Feishu webhook mode when only verificationToken is configured and encryptKey is absent. Unauthenticated network attackers can send forged Feishu events to the webhook endpoint, potentially triggering downstream tool execution. A fix i...

PT-2026-28455

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.12 Description OpenClaw is susceptible to an authentication bypass issue in Feishu webhook mode. This occurs when only the verificationToken is configured, and the encryptKey is not. This allows unauthenticate...

CVE-2026-32616

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $SERVER'HTTPHOST' without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification lin...

GHSA-G353-MGV3-8PCJ OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured

Summary Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary. Impact An unauthenticated network...

OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured

Summary Feishu webhook mode allowed deployments that configured only verificationToken without encryptKey. In that state, forged inbound events could be accepted because the weaker configuration did not provide the required cryptographic verification boundary. Impact An unauthenticated network...

EUVD-2026-10551

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints...

EUVD-2020-7066

Malware in sbrugna...

EUVD-2022-6695

Malicious code in bioql PyPI...

EUVD-2025-13278

Malicious code in bioql PyPI...

CVE-2024-35196

Sentry is a developer-first error tracking and performance monitoring platform. Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this verification token, i...

CVE-2020-14930

An issue was discovered in BT CTROMS Terminal OS Port Portal CT-464. Account takeover can occur because the password-reset feature discloses the verification token. Upon a getverificationcode.jsp request, this token is transmitted not only to the registered phone number of the user account, but i...

CVE-2025-32888

An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app...

CVE-2025-32888

An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app...

CVE-2025-32888

An issue was discovered on goTenna Mesh devices with app 5.5.3 and firmware 1.1.12. The verification token used for sending SMS through a goTenna server is hardcoded in the app...

CVE-2025-32889

CVE-2025-32889 concerns goTenna v1 devices affected by app 5.5.3 and firmware 0.25.5, where the verification token used for sending SMS through a goTenna server is hardcoded in the app. The root cause is a hardcoded token in the mobile application, enabling potential misuse of the SMS sending pro...