CVE-2025-15470

The CVE describes an arbitrary directory deletion vulnerability in the Eleganzo WordPress theme (versions

CVE-2025-15470 Eleganzo <= 1.2 - Authenticated (Subscriber+) Arbitrary Directory Deletion

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2026-33018

libsixel 1.8.7 and prior contain a heap use‑after‑free in load_gif() (fromgif.c): a single sixel_frame_t is reused across all frames of an animated GIF and gif_init_frame() frees/reallocates frame-&gt;pixels between frames regardless of reference counts. A callback using sixel_frame_get_pixels() ...

CVE-2026-5295

A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wcPKCS7DecryptOri function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo ORI recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer...

HackerOne: CVE-2026-21637 TLS PSK/ALPN Callback Exceptions Bypass Error Handlers

CVE-2026-21637 is regarding a vulnerability in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError...

CLSA-2026-1776098295 pyOpenSSL: Fix of CVE-2026-27448

CVE-2026-27448: fix fail-open in settlsextservernamecallback when callback raises exception...

K000160722: Linux kernel vulnerability CVE-2026-23324

Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: can: usb: etases58x: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be...

How to Deploy Veeam Backup for Salesforce External Client App

Purpose This article documents how to create an External Client App ECA in Salesforce to integrate with Veeam Backup for Salesforce via Salesforce API. An ECA with proper permissions is required for Veeam Backup for Salesforce to integrate with Salesforce API using the OAuth 2.0 protocol. Solutio...

CVE-2026-35664

OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization...

CVE-2026-35661

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypas...

CVE-2026-35652

OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...

Authentication Bypass Using an Alternate Path or Channel

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the Telegram callback query handling process. An attacker can modify session state by exploiting weaker callback-only...

CVE-2026-35664

OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization...

EUVD-2026-21474

OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization...

CVE-2026-35661

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypas...

EUVD-2026-21468

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypas...

CVE-2026-35661

CVE-2026-35661 affects OpenClaw prior to 2026.3.25. Affected component: Telegram callback query handling allows an authorization bypass that enables remote attackers to mutate session state without satisfying normal DM pairing. Attack requires no user interaction and network access (low complexit...

CVE-2026-35661 OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypas...

CVE-2026-35652 OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch

OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...

CVE-2026-35652

OpenClaw is affected before version 2026.3.22 by an authorization bypass in interactive callback dispatch. The flaw allows non-allowlisted senders to invoke action handlers by dispatching callbacks before normal security validation completes, enabling unauthorized actions. The CVE notes a MEDIUM ...