Replay Attack

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack via the webhook signature verification process. An attacker can bypass replay detection by submitting requests with equivalent Base64 and Base64URL-encoded signatures,...

CVE-2026-35535

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation...

PT-2026-30272

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.35 Description SandboxJS has a flaw where direct assignment to global objects is blocked, but this protection can be bypassed through a callable constructor path using this.constructor.calltarget, attackerObject...

PT-2026-30230

Name of the Vulnerable Software and Affected Versions versions affected versions not specified Description An authenticated user can access other user profiles by manipulating the id number within an API call. This occurs through a specific API endpoint. Recommendations At the moment, there is no...

ROS-20260403-73-0003

A vulnerability in the ksmbdsessionrpcopen function in the fs/smb/server/mgmt/usersession.c module of the Linux kernel SMB server support is related to the reuse of previously freed memory. Exploitation of the vulnerability may allow an attacker to affect confidentiality, integrity and availabili...

GHSA-89R3-6X4J-V7WF OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection

Summary Voice-call Plivo replay mutates in-process callback origin before replay rejection Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: v2026.3.28 can still mutate Plivo callback origin before replay rejection, but this needs a captured valid callback for a...

Replay Attack

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. Remediation...

CVE-2026-31937

A flaw was found in Suricata, a network intrusion detection, prevention, and security monitoring engine. A remote attacker could exploit an inefficiency in the Distributed Computing Environment/Remote Procedure Call DCERPC buffering mechanism. This could lead to a denial of service DoS due to...

GHSA-77RH-M34W-RV36 Agno is vulnerable to Eval Injection

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

Agno is vulnerable to Eval Injection

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

EUVD-2026-18274

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsopenvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

CVE-2026-35002

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

CVE-2026-34794

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsids.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

UBUNTU-CVE-2026-31937

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15...

CVE-2026-33533

Glances prior to 4.5.3 exposes a Cross‑Origin Resource Sharing (CORS) weakness in its XML‑RPC server (enabled with glances -s/--server). The XML‑RPC handler does not validate Content‑Type, allowing an attacker‑controlled page to issue a CORS simple request (POST, Content‑Type: text/plain) that ca...

CVE-2026-33533

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server activated with glances -s or glances --server sends Access-Control-Allow-Origin: on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an...

CVE-2026-33533

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server activated with glances -s or glances --server sends Access-Control-Allow-Origin: on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an...

CVE-2026-33533

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server activated with glances -s or glances --server sends Access-Control-Allow-Origin: on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an...

CVE-2026-34796

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logsopenvpn.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

CVE-2026-34796

Endian Firewall, up to version 3.3.25, is affected by a command-injection in /cgi-bin/logs_openvpn.cgi via the DATE parameter. The root cause is incomplete regular-expression validation that allows the DATE value to be used in a Perl open() call, enabling authenticated users with low privileges a...