Biztalk360 安全漏洞

Biztalk360 is an integrated operation and monitoring platform developed by the British company Biztalk360. Versions of Biztalk360 prior to 11.5 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of user input in the server read paths, which could allow...

Core Flight System（cFS） 代码问题漏洞

Core Flight System cFS is a generic flight software architecture framework open source by NASA, used for flagship spacecraft, manned spacecraft, cube satellites, and Raspberry Pi devices. Versions of Core Flight System cFS 7.0.0 and earlier contained code vulnerabilities. These vulnerabilities...

PT-2026-29972

A remote attacker can supply a short X-Wing HPKE encapsulated key and trigger an out-of-bounds read in the C decapsulation path, potentially causing a crash or memory disclosure depending on runtime protections. This issue is fixed in swift-crypto version 4.3.1...

Supply-Chain Poisoning Attacks against LLM Coding Agent Skill Ecosystems

LLM-based coding agents extend their capabilities via third-party agent skills distributed through open marketplaces without mandatory security review. Unlike traditional packages, these skills are executed as operational directives with system-level privileges, so a single malicious skill can...

FastMCP 安全漏洞

FastMCP is a MCP server building software developed by Jeremiah Lowin. Versions of FastMCP prior to 3.2.0 contained security vulnerabilities; these vulnerabilities stemmed from incorrect user authorization verification by OAuthProxy, which could lead to rogue agent attacks...

CVE-2026-27456

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU Time-of-Check-Time-of-Use vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privilege...

LiteLLM 1.82.7 / 1.82.8 Supply Chain Compromise (GHSA-5mg7-485q-xm76)

The version of the LiteLLM Python package installed on the remote host is 1.82.7 or 1.82.8. These versions were published to PyPI by a threat actor known as TeamPCP using compromised maintainer credentials obtained through the Aqua Security Trivy supply chain attack. The malicious releases contai...

CVE-2026-33105

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network...

CVE-2026-5311

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function...

Exploit for CVE-2020-0665

TrustFull For anyone with trust issues Active Directory...

EUVD-2026-18546

A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AESIV/AESPASSWORD results in use of hard-coded...

CVE-2026-30251

A reflected cross-site scripting XSS vulnerability in the loginnewpwd.php endpoint of Interzen Consulting S.r.l ZenShare Suite v17.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via a crafted URL injected into the codiceazienda parameter...

Replay Attack

Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths...

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths...

Replay Attack

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. Remediation...

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. Remediation Upgra...

fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

Summary The fix for GHSA-c2ff-88x2-x9pg CVE-2023-48223 is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that the CVE patched. Details The f...

CVE-2026-5420

A security flaw has been discovered in Shinrays Games Goods Triple App up to 1.200. The affected element is an unknown function of the file jRwTX.java of the component cats.goods.sort.sorting.games. Performing a manipulation of the argument AESIV/AESPASSWORD results in use of hard-coded...

CVE-2026-34761 Ella Core Panics Upon NGAP handover failure

Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, Ella Core panics when processing a NGAP handover failure message. An attacker able to cause a gNodeB to send NGAP handover failure messages to Ella Core can crash the process, causing service disruption for all connecte...

CVE-2026-5420

CVE-2026-5420 affects Shinrays Games Goods Triple App (up to 1.200), specifically the component cats.goods.sort.sorting.games and the file jRwTX.java. The issue arises from manipulating AES_IV/AES_PASSWORD, resulting in the use of a hard-coded cryptographic key. Local attack is required with high...