GHSA-8PF2-VJ79-4WXG Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-chfm-xgc4-47rj. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Gra...

Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-chfm-xgc4-47rj. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Gra...

XXL-JOB 加密问题漏洞

XXL-JOB is a distributed task scheduling platform developed by xuxueli as an individual project. Versions of XXL-JOB 3.3.2 and earlier contained a security vulnerability related to encryption. This vulnerability stemmed from an unknown function parameter in the component’s OpenAPI Endpoint,...

PT-2026-35576

A weakness has been identified in dvladimirov MCP up to 0.1.0. The impacted element is the function GitSearchRequest of the file mcp server.py of the component Git Search API. Executing a manipulation of the argument repo url/pattern can lead to command injection. The attack can be executed...

PT-2026-35723

An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication. An unauthenticated...

An Empirical Security Evaluation of LLM-Generated Cryptographic Rust Code

Developers and organizations are using Large Language Models LLMs to generate security-critical code more frequently than ever, including cryptographic solutions for their products. This study presents an empirical evaluation of cryptographic security in 240 Rust code samples for two crypto...

MCP Server with OpenAI, Git, Filesystem, and Prometheus Integration 注入漏洞

MCP Server with OpenAI, Git, Filesystem, and Prometheus Integration is an integrated model control plane server developed by DVladimirov, which integrates OpenAI, Git, a file system, and Prometheus. Versions of MCP Server with OpenAI, Git, Filesystem, and Prometheus Integration prior to 0.1.0 hav...

CVE-2026-40355

MIT Kerberos 5 (krb5) before 1.22.3 is affected by a NULL pointer dereference in gss_accept_sec_context when a NegoEx mechanism is registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message (denial of service). Affected...

Red Hat OpenShift Container Platform 代码问题漏洞

Red Hat OpenShift Container Platform is a platform developed by Red Hat Inc., which helps enterprises develop, deploy, and manage existing container-based applications across physical, virtual, and public cloud infrastructures. There is a code vulnerability in Red Hat OpenShift Container Platform...

CVE-2026-41365

OpenClaw prior to 2026.3.31 has a sender allowlist bypass in MS Teams thread history fetched via Graph API, allowing retrieval of messages that should be filtered by sender allowlists. Root cause: bypass of sender filtering when collecting thread history. Impact: potential exposure of non-filtere...

JLSEC-2026-281 RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Summary The RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs... supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend,...

CVE-2026-6979

A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and m...

CVE-2026-6982

A vulnerability was determined in star7th ShowDoc up to 2.10.10/3.6.2/3.8.0. Affected by this vulnerability is an unknown functionality of the file server/Application/Api/Controller/PageController.class.PHP of the component API Page Sort Endpoint. Executing a manipulation of the argument pages ca...

CVE-2026-6977

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. The affected element is an unknown function of the component Legacy Flask API. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and ma...

CVE-2026-7147

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...

Malicious code in robase-ui (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9ca93a110c410fd6294e5270289bebb1872f9b81152d837f4990756881646cc0 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-3104 Malicious code in robase-ui (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9ca93a110c410fd6294e5270289bebb1872f9b81152d837f4990756881646cc0 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

CVE-2026-7147 JoeCastrom mcp-chat-studio LLM Models API llm.js server-side request forgery

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...

EUVD-2026-25906

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.baseurl results in server-side request forgery. Remote...

CVE-2026-7147

JoeCastrom mcp-chat-studio (up to 1.5.0) contains a server-side request forgery (SSRF) vulnerability in the LLM Models API, specifically in file server/routes/llm.js. Manipulating the argument req.query.base_url can trigger SSRF, enabling remote exploitation. Public exploit appears available. The...