Apple Security Advisory 03-24-2026-2

Apple Security Advisory 03-24-2026-2 - iOS 18.7.7 and iPadOS 18.7.7 addresses bypass, null pointer, out of bounds access, and use-after-free vulnerabilities...

Apple Security Advisory 03-24-2026-8

Apple Security Advisory 03-24-2026-8 - visionOS 26.4 addresses bypass, information leakage, null pointer, out of bounds access, and use-after-free vulnerabilities...

GHSA-MV9J-8JVG-J8MR mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality

Impact The tempo/session cooperative close handler validated the close voucher amount using instead of = against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing...

CVE-2026-33885

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions an...

CVE-2026-33979 Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data in req.body, req.query, req.headers and req.params to prevent Cross Site Scripting XSS attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are...

CVE-2026-33869

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The...

GHSA-X744-4WPC-V9H2 Moby has AuthZ plugin bypass when provided oversized request bodies

Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affecte...

CVE-2026-27893

CVE-2026-27893 affects vLLM’s inference/serving engine. From version 0.10.1 up to (but not including) 0.18.0, two model implementation files hardcode trust_remote_code=True when loading sub-components, bypassing the user’s --trust-remote-code=False security opt-out. This enables remote code execu...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the reconciliation process for Tlon settings when explicit empty allowlists are treated as unset. An attacker can bypass intended access revocation by exploitin...

CVE-2025-48840

An authentication bypass by spoofing vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.8, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow a remote unauthenticated attacker to bypass hostname restrictions via a specially crafted request...

CVE-2026-27522

OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user...

UBUNTU-CVE-2026-33217

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied in the $MQTT. namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Versions...

tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation

A flaw was found in Apache Tomcat. When an Online Certificate Status Protocol OCSP responder is used, the Tomcat Native component, and Tomcat's FFM port of the Tomcat Native code, does not properly verify or check the freshness of the OCSP response. This improper input validation vulnerability...

CVE-2026-32492

CVE-2026-32492 is reported in Wordfence for the WordPress plugin My Tickets – Accessible Event Ticketing, affecting versions

Google Chrome Security Bypass Vulnerability (CNVD-2026-15397)

Google Chrome is a web browser from Google, an American company. Google Chrome suffers from a security bypass vulnerability that is caused by insufficient policy enforcement in ChromeDriver. An attacker can exploit the vulnerability to bypass security restrictions...

CVE-2026-33418 @dicebear/converter ensureSize() Vulnerable to SVG Dimension Capping Bypass via XML Comment Injection

DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafti...

OpenClaw Authorization Bypass Vulnerability

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authorization bypass vulnerability that can be exploited by an attacker to attack inherited elevated tool privileges via identifier conflict...

CVE-2026-33480

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching the...

CVE-2026-33480

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching the...

[SECURITY] [DLA 4506-1] mapserver security update

Debian LTS Advisory DLA-4506-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin March 23, 2026 https://wiki.debian.org/LTS Package : mapserver Version : 7.6.2-1+deb11u1 CVE ID : CVE-2021-32062 CVE-2025-59431 Debian Bug : 988208 Vulnerabilities were found in mapserve...