OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic

Summary PIPINDEXURL and UVINDEXURL bypass host exec env sanitization and redirect Python package-index traffic Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still allows Python package-index env redirection through host exec, but scope should stay...

CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php

WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a...

Amazon Linux 2023 : golist (ALAS2023-2026-1382)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1382 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processe...

CVE-2025-4647 A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Centreon web allows Reflected XSS. A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG. This issue affects web: from 24.10.0 before...

PT-2023-29225 · Unknown · Sanitize-Html

Name of the Vulnerable Software and Affected Versions: HtmlSanitizer versions prior to 8.0.723 HtmlSanitizer version 8.1.722-beta and earlier Description: The issue occurs in configurations where foreign content is allowed, specifically when svg or math are in the list of allowed elements. This...

CVE-2021-25748

A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the spec.rules.http.paths.path field of an Ingress object in the networking.k8s.io or extensions API group to obtain the credentials of...

Prototype Pollution

Overview express-xss-sanitizer is an Express 4.x middleware which sanitizes user input data in req.body, req.query, req.headers and req.params to prevent Cross Site Scripting XSS attack. Affected versions of this package are vulnerable to Prototype Pollution via the allowedTags attribute, allowin...

PT-2021-6670 · Unknown +1 · Ckeditor 4 +1

Name of the Vulnerable Software and Affected Versions: CKEditor 4 versions prior to 4.17.0 Description: A vulnerability has been discovered in the core HTML processing module of CKEditor 4, which may affect all plugins used by the editor. This issue allows an attacker to inject malformed comments...