CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

GHSA-P8GP-2W28-MHWG Signal K set-system-time plugin vulnerable to RCE - Command Injection

Summary A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K...

Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8p2-7wf7-98mq. This link is maintained to preserve external references. Original Description OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically...

GHSA-R2C6-8JC8-G32W Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8p2-7wf7-98mq. This link is maintained to preserve external references. Original Description OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically...

PT-2026-5713

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 1.5.0 Signal K Set-System-Time plugin versions prior to 1.5.0 Description A command injection issue exists in the Signal K Server and its Set-System-Time plugin. Authenticated users with write permissions can...

📄 Mailpit 1.28.1 Cross Site WebSocket Hijacking

A cross site websocket hijacking vulnerability exists in Mailpit versions 1.28.1 and below. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time. Mailpit - Cross-Site WebSocket Hijacking CSWSH Advisory ID:...

CVE-2026-25253

OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value...

CVE-2026-25253

OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value...

CVE-2026-25253

OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value...

CVE-2026-25253

OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value...

CVE-2026-25253

OpenClaw/OpenClaw (clawdbot/Moltbot) vulnerability CVE-2026-25253 arises from the Control UI reading gatewayUrl from the URL query and auto-opening a WebSocket to the attacker’s endpoint with the stored token, enabling token exfiltration and potential full gateway compromise. Root cause: applySet...

Security update for qemu

This update for qemu fixes the following issues: CVE-2025-11234: Fixed use-after-free in websocket handshake code can lead to denial of service bsc1250984. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2026:0356-1 Security update for qemu

This update for qemu fixes the following issues: - CVE-2025-11234: Fixed use-after-free in websocket handshake code can lead to denial of service bsc1250984...

OpenClaw 安全漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. A security vulnerability exists in versions prior to OpenClaw 2026.1.29, which originates from automatically establishing a WebSocket connection and sending a token, and can be exploited by an attacker to cause an unauthorized...

PT-2026-5584

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.29 Description An authentication bypass issue exists in the WebSocket gateway of OpenClaw. The software fails to validate the user-supplied gatewayUrl parameter before initializing WebSocket connections. This...

Credential Exposure

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Credential Exposure in the form of gateway query parameter hook tokens being sent in websocket responses. An attacker who convinces a user to follow a link with a malicious gatewayUrl URL...

Credential Exposure

Overview clawdbot is a WhatsApp gateway CLI Baileys web with Pi RPC agent Affected versions of this package are vulnerable to Credential Exposure in the form of gateway query parameter hook tokens being sent in websocket responses. An attacker who convinces a user to follow a link with a maliciou...

OESA-2026-1263 qemu security update

QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed. Security Fixes: A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and...

CVE-2026-24841

Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint /docker-container-terminal. The containerId and activeWay parameters are directly interpolated into shell commands without...