GHSA-7XR2-Q9VF-X4R5 OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

Summary The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file agents.create and agents.update still use raw fs.appendFile on the IDENTITY.md file without any symlink...

OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

Summary The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file agents.create and agents.update still use raw fs.appendFile on the IDENTITY.md file without any symlink...

PT-2024-27437 · Jan · Jan

Name of the Vulnerable Software and Affected Versions: Jan version 0.4.12 Description: The issue allows attackers to execute arbitrary code via uploading a crafted file to the "/v1/app/appendFileSync" interface. Recommendations: For Jan version 0.4.12, as a temporary workaround, consider disablin...

Send ICMP Nasty Garbage (SING) - Append File Logrotate

Send ICMP Nasty Garbage SING - Append File Logrotate / sing file append exploit by bannedit 12/05/2007 The original reporter of this issue included an example session which added an account to the machine. The method for this exploit is slightly different and much more quiet. Although it relies...