PT-2026-34764

OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute...

PT-2026-34758

Name of the Vulnerable Software and Affected Versions Microsoft Power Apps affected versions not specified Description An uncontrolled search path element allows an unauthorized attacker to execute code over a network. Recommendations At the moment, there is no information about a newer version...

@node-oauth/oauth2-server 安全漏洞

@node-oauth/oauth2-server is an open-source Node.js OAuth2 server implementation that adheres to RFC standards. @node-oauth/oauth2-server has a security vulnerability; this vulnerability stems from the token exchange path accepting an invalid codeverifier value according to RFC7636, which may lea...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack in DevTool due to comparing the user-provided "remote secret" against the actual secret using standard string comparison logic like String.equals or ==. Standard string comparisons are not constant-time. They evaluate...

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID PID files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory...

Yadea T5 Electric Bicycles 安全漏洞

Yadea T5 Electric Bicycles is a lightweight electric bicycle designed for urban commuting by Yadea Company. The Yadea T5 Electric Bicycles have a security vulnerability, which stems from a weak authentication mechanism in the keyless entry system. By using the fixed code RF protocol, local...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw from 2026.2.26 to 2026.3.31 contained security vulnerabilities. These vulnerabilities stemmed from the system’s ability to execute pending pairing requests based on channel files rather than...

CVE-2025-70994

Yadea T5 Electric Bicycles models manufactured in/after 2024 have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF protocol without implementing rolling codes or cryptographic challenge-response mechanisms. This is vulnerable to signal...

Linux Distros Unpatched Vulnerability : CVE-2026-22004

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0...

Joern 4.0.526

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...

PT-2026-34591

A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math equal of the file prime math/grader.py. The manipulation leads to sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be...

AutoRISE: Agent-Driven Strategy Evolution for Red-Teaming Large Language Models

Automated red-teaming methods for large language models typically optimize attack prompts within a fixed, human-designed strategy, leaving the attack strategy itself unchanged. We instead optimize the strategy. We propose AutoRISE, a method that searches over executable attack programs rather tha...

CVE-2026-41313

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer /Size value in incremental mode. This has been fixed in pypdf 6.10.2. As...

SUSE-SU-2026:21382-1 Security update for python-Pillow

This update for python-Pillow fixes the following issue: - CVE-2026-40192: Versions 10.3.0 through 12.1.1 did not limit the amount of GZIP-compressed data read when decoding a FITS image, making them vulnerable to decompression bomb attacks bsc1262184...

Exploit for Improper Input Validation in Microsoft

Overview Python exploit for CVE-2026-32201 - improper input va...

CVE-2026-40937

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

Origin Validation Error

Overview locize is a This package adds the incontext editor to your i18next setup. Affected versions of this package are vulnerable to Origin Validation Error in the window.addEventListener message handler due to missing validation of the event.origin property. An attacker can execute arbitrary...

CVE-2026-34068

Summary (CVE-2026-34068) Nimiq-transaction’s staking contract (Rust) prior to v1.3.0 accepts UpdateValidator transactions that set new_voting_key=Some(...) without including new_proof_of_knowledge, bypassing the PoK requirement used to prevent BLS rogue-key attacks in aggregated signatures. Since...

CVE-2026-34068 nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge

nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts UpdateValidator transactions that set newvotingkey=Some... while omitting newproofofknowledge. this skips the proof-of-knowledge requirement that is...

CVE-2026-34064 nimiq-account: Vesting insufficient funds error can panic

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...