CVE-2026-44994 OpenClaw < 2026.4.22 - Authentication Bypass in Gateway Control UI Bootstrap Config Endpoint

OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive...

GHSA-MXQH-Q9H6-V8PQ Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover

Summary An unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. When the instance is still uninitialized, POST /api/install is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets th...

Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover

Summary An unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. When the instance is still uninitialized, POST /api/install is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets th...

CVE-2026-41335 OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON

OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities stemmed from a flaw in the bootstrap JSON data used as a control interface, which allowed information leakage. This...

VulnCheck KEV: CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous...

PYSEC-2025-103

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous...

Malicious code in airbnb-bootstrap-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8ab32fc1acc308cef69cd2c28a15f3ca79fb2ebeec3a94c3ece78de110b9229c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

SUSE CVE-2016-10735

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041...

Open-Xchange: [XSS] Pasting bootstrap in mail compose

Hi. No filter for bootstrap data attributes. data-target allow any html, e.g.: - " href="" collapse - " href="" dropdown - " href="" modal Steps: 1. Create page with this code best example with dropdown, you can use my template https://secator.com/ox/bootstrap.html 2. Ctrl+A select all, Ctrl+C co...