CVE-2026-39862

Tophat, a mobile alkalmazations testing harness, is affected prior to version 2.5.1. A crafted tophat:// or localhost:29070 URL causes the arguments query parameter to flow unsanitized from URL parsing to /bin/bash -c, enabling remote code execution with the developer’s macOS user permissions. An...

OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)

Summary system.run allowed SHELLOPTS + PS4 environment injection to trigger command substitution during bash -lc xtrace expansion before the allowlisted command body executed. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.21-2 includes latest published npm version at...