EUVD-2026-21110

OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassi...

PT-2026-31883

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313 b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can...

CowAgent 路径遍历漏洞

CowAgent is an intelligent assistant and scalable agent framework developed by zhayujie’s individual developer. Versions of CowAgent 2.0.4 and earlier had a path traversal vulnerability. This vulnerability stemmed from incorrect handling of the parameter filename in the file...

PHP MySQL User Signup Login System 安全漏洞

PHP MySQL User Signup Login System is a MySQL registration and login system developed by Keerti Vishwkarma. Version 1.0 of the PHP MySQL User Signup Login System has a security vulnerability. This vulnerability stems from a flaw in the username parameter used in the login.php file, which may lead...

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.3.0 contained security vulnerabilities. These vulnerabilities stemmed from a failure in the TOTP lock mechanism’s attempt to lock the account due to database transaction processing errors...

BadSkill: Backdoor Attacks on Agent Skills Via Model-In-Skill Poisoning

Agent ecosystems increasingly rely on installable skills to extend functionality, and some skills bundle learned model artifacts as part of their execution logic. This creates a supply-chain risk that is not captured by prompt injection or ordinary plugin misuse: a third-party skill may appear...

CVE-2026-6042

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix...

OpenClaw has an unspecified vulnerability (CNVD-2026-17487)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a security vulnerability that can be exploited by an attacker to execute native code after an operator approves misleading command text...

ADAM: A Systematic Data Extraction Attack on Agent Memory Via Adaptive Querying

Large Language Model LLM agents have achieved rapid adoption and demonstrated remarkable capabilities across a wide range of applications. To improve reasoning and task execution, modern LLM agents would incorporate memory modules or retrieval-augmented generation RAG mechanisms, enabling them to...

Apple macOS Denial of Service Vulnerability (CNVD-2026-17906)

Apple macOS is a specialized operating system developed by Apple for Mac computers. A denial of service vulnerability exists in Apple macOS. An attacker could exploit this vulnerability to cause an application to unexpectedly terminate the system...

PT-2026-32026

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml load string without XXE protection. With LIBXML NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3...

Discourse Input Validation Error Vulnerability (CNVD-2026-17260)

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an input validation error vulnerability that originates when the enter operation in StaticController reads the...

PT-2026-31859

Name of the Vulnerable Software and Affected Versions Simple IT Discussion Forum version 1.0 Description A SQL injection flaw exists in the /delete-category.php file of Simple IT Discussion Forum version 1.0. Manipulation of the cat id argument can trigger the injection. The attack can be initiat...

PT-2026-31953

Summary The Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries ...

Unity Linux 20.1070e Security Update: unbound (UTSA-2026-007096)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007096 advisory. A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet ECS. Unbound is also...

Atlassian Jira Service Management Data Center and Server 5.17.2 < 10.3.17 / 10.4.x < 11.3.0 (JSDSERVER-16515)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16515 advisory. - Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are...

SUSE CVE-2026-5889

Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. Chromium security severity: Medium...

CVE-2026-5986

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...

CVE-2026-5986

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...

CVE-2026-5986 Zod jsVideoUrlParser util.js getTime redos

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...