CVE-2026-33748 vulnerabilities

Vulnerabilities for packages: osv-scanner, trivy-fips, scorecard, trivy-operator-fips, kubescape-server, buildah, guac, skaffold, docker-fips, conftest-fips, kaniko, cloudbeat, conftest, docker-cli-buildx, buildah-fips, docker-cli-buildx-fips, zot, kaniko-fips, cloudbeat-fips, docker-compose-fips...

PT-2026-28312

Name of the Vulnerable Software and Affected Versions Coverity Connect affected versions not specified Description The authentication logic in the command line tooling for Coverity Connect is missing an error handler, leading to a potential authentication bypass. An attacker with access to the...

GHSA-RVQR-HRCC-J9VV OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution

Summary Bonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

External Control of Critical State Data

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to External Control of Critical State Data in the CLI routing process after failed service resolution, where Bonjour and DNS-SD TXT metadata could still influence the chosen target. An...

OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution

Summary Bonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

CVE-2021-4474 Ruckus AP CLI Arbitrary File Read Allows Authenticated Remote File Access

Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive...

@algolia/coquille (>=0.0.2 <=0.0.13), @candlelabs/sdk (>=1.0.1 <=1.0.2) +20 more potentially affected by CVE-2026-33750 via brace-expansion (>=1.1.0 <=1.1.11)

brace-expansion NPM version =1.1.0, =0.0.2, =1.0.1, =0.0.1, =0.1.0, =1.0.0, =1.0.0, =1.1.1, =1.0.3-dev.20180316T104657Z.4a84a30, =1.1.0 and more Source cves: CVE-2026-33750 Source advisory: SNYK:JS-BRACEEXPANSION-15789759...

jo-cli (=1.0.2) potentially affected by CVE-2026-33750 via brace-expansion (=3.0.0)

brace-expansion NPM version =3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on brace-expansion and may be impacted: - jo-cli =1.0.2 Source cves: CVE-2026-33750 Source advisory: OSV:GHSA-F886-M6HF-6M8V...

jo-cli (=1.0.2) potentially affected by CVE-2026-33750 via brace-expansion (=3.0.0)

brace-expansion NPM version =3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on brace-expansion and may be impacted: - jo-cli =1.0.2 Source cves: CVE-2026-33750 Source advisory: SNYK:JS-BRACEEXPANSION-15789759...

CVE-2025-15518

Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the...

CVE-2025-15519

Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the...

CVE-2026-3587

An unauthenticated remote attacker can exploit a hidden function in the CLI prompt to escape the restricted interface, leading to full compromise of the device...

CVE-2026-3841

A command injection vulnerability has been identified in the Telnet command-line interface CLI of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to execute...

CVE-2026-20046

A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to elevate privileges and gain full administrative control of an affected device. This vulnerability is due to incorrect mapping of a command to task groups...

CVE-2026-20040

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI...

CVE-2026-31975

Cloud CLI aka Claude Code UI is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the WebSocket message payload and interpolated into...

PT-2026-28264

Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interface that allows authenticated remote attackers with administrative privileges to read arbitrary files from the underlying filesystem. Attackers can exploit this vulnerability to access sensitive...

@grackle-ai/cli (>=0.0.2 <=0.108.4) potentially affected by unknown CVE via @grackle-ai/server (>=0.0.2 <=0.70.5)

@grackle-ai/server NPM version =0.0.2, =0.0.2, =0.108.4 Source cves: unknown CVE Source advisory: SNYK:JS-GRACKLEAISERVER-15840331...

@grackle-ai/cli (>=0.0.2 <=0.108.4) potentially affected by unknown CVE via @grackle-ai/server (>=0.0.2 <=0.70.4)

@grackle-ai/server NPM version =0.0.2, =0.0.2, =0.108.4 Source cves: unknown CVE Source advisory: SNYK:JS-GRACKLEAISERVER-15840037...

@grackle-ai/cli (>=0.0.2 <=0.108.4) potentially affected by unknown CVE via @grackle-ai/server (>=0.0.2 <=0.70.2)

@grackle-ai/server NPM version =0.0.2, =0.0.2, =0.108.4 Source cves: unknown CVE Source advisory: SNYK:JS-GRACKLEAISERVER-15840352...