CVE-2026-34388 Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint

Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all...

GO-2026-4762 Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc...

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Summary A crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile...

CVE-2026-4963

A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...

EUVD-2026-16658

A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handletoolcall of the file XAgent/functionhandler.py of the component API Key Handler. This manipulation of the argument apikey causes sensitive information in log files. The attack may be initiate...

CVE-2026-4957

A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handletoolcall of the file XAgent/functionhandler.py of the component API Key Handler. This manipulation of the argument apikey causes sensitive information in log files. The attack may be initiate...

CVE-2026-4957

A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handletoolcall of the file XAgent/functionhandler.py of the component API Key Handler. This manipulation of the argument apikey causes sensitive information in log files. The attack may be initiate...

CVE-2026-4957

OpenBMB XAgent 1.0.0 is affected. The issue sits in the file XAgent/function_handler.py, inside the API Key Handler, specifically the function FunctionHandler.handle_tool_call . Manipulating the argument api_key can cause sensitive information to be written to log files. This enables a remote att...

CVE-2026-4957 OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file

A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handletoolcall of the file XAgent/functionhandler.py of the component API Key Handler. This manipulation of the argument apikey causes sensitive information in log files. The attack may be initiate...

SUSE CVE-2026-33413

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted...

OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Summary Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

CVE-2026-33532

Summary: CVE-2026-33532 affects the yaml JavaScript library. The vulnerability is in the compose/resolve phase of the parser, where a recursive call path without a depth bound can cause a RangeError: Maximum call stack size exceeded when parsing YAML input (typical payload ~2–10 KB). This can lea...

OpenClaw: Plivo V2 verified replay identity drifts on query-only variants

Summary Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-on...

CVE-2026-33413

A flaw was found in etcd, a distributed key-value store. Unauthorized users can bypass authentication or authorization checks when the gRPC API is exposed to untrusted clients. This allows them to access sensitive cluster topology information, disrupt operations through alarms, interfere with lea...

UBUNTU-CVE-2026-33416

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raster image files. In versions 1.2.1 through 1.6.55, pngsettRNS and pngsetPLTE each alias a heap-allocated buffer between pngstruct and pnginfo, sharing a single allocation acros...

CVE-2026-3546

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...

CVE-2026-32053

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...

CVE-2026-26330

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with applyonstreamdone in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. Whe...

CVE-2026-3584

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'formprocess' function. This is due to the 'preparepostdata' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of...

CVE-2026-30939

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The...