Replay Attack

Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths...

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths...

Replay Attack

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. Remediation...

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. Remediation Upgra...

fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

Summary The fix for GHSA-c2ff-88x2-x9pg CVE-2023-48223 is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that the CVE patched. Details The f...

CVE-2026-5420

A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AESIV/AESPASSWORD results in use of hard-coded...

CVE-2026-34761 Ella Core Panics Upon NGAP handover failure

Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, Ella Core panics when processing a NGAP handover failure message. An attacker able to cause a gNodeB to send NGAP handover failure messages to Ella Core can crash the process, causing service disruption for all connecte...

CVE-2026-5420

A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AESIV/AESPASSWORD results in use of hard-coded...

CVE-2026-5420 Shinrays Games Goods Triple App cats.goods.sort.sorting.games jRwTX.java hard-coded key

A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AESIV/AESPASSWORD results in use of hard-coded...

CVE-2026-5420

CVE-2026-5420 affects Shinrays Games Goods Triple App (up to 1.200), specifically the component cats.goods.sort.sorting.games and the file jRwTX.java. The issue arises from manipulating AES_IV/AES_PASSWORD, resulting in the use of a hard-coded cryptographic key. Local attack is required with high...

GHSA-3HFP-GQGH-XC5G Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Impact A supply chain attack on the axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency [email protected] that deploys a cross-platform remote access trojan RAT on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm...

GHSA-658G-P7JG-WX5G Axios npm Supply Chain Incident Impacting @usebruno/cli

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

Axios npm Supply Chain Incident Impacting @usebruno/cli

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

EUVD-2026-18488

A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack may be performed...

EUVD-2026-18360

A security flaw has been discovered in Trendnet TEW-657BRM 1.00.1. The impacted element is the function updatepcdb of the file /setup.cgi. The manipulation of the argument macpcdba results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the...

CVE-2026-5413

A vulnerability was identified in Newgen OmniDocs up to 12.0.00. Affected by this vulnerability is an unknown functionality of the file /omnidocs/GetWebApiConfiguration. The manipulation of the argument connectionDetails leads to information disclosure. The attack is possible to be carried out...

CVE-2026-34118

A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to insufficient boundary validation when handling externally supplied HTTP input. An...

CVE-2026-5414

A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack may be performed...

CVE-2026-5414 Newgen OmniDocs WebApiRequestRedirection resource injection

A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack may be performed...

CVE-2026-5414

Newgen OmniDocs (up to 12.0.00) contains a vulnerability in /omnidocs/WebApiRequestRedirection where manipulating the DocumentId parameter leads to improper control of resource identifiers. The issue can be exploited remotely, and a public exploit is available. The vendor was contacted but did no...