CVE-2026-53817 OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert...

EUVD-2026-36323

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert...

CVE-2026-53817 OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert...

CVE-2026-53817

OpenClaw CVE-2026-53817 affects the Control UI pairing in OpenClaw, where locality validation is insufficient. This allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens, converting temporary shared access into persistent administrative ...

EUVD-2026-36320

OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes ...

CVE-2026-53814

OpenClaw before 2026.5.20 contains a privilege-escalation vulnerability in which a hook-triggered agent runs with owner-scoped MCP loopback authority instead of the hook-appropriate scope. Attackers with a valid hook token can use the /hooks/agent endpoint to cause spawned CLI runtimes to access ...

EUVD-2026-36318

OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered...

CVE-2026-45178

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial ...

EUVD-2026-36306

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

[SECURITY] [DSA 6340-1] neutron security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6340-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff June 11, 2026 https://www.debian.org/security/faq -...

EUVD-2026-36289

Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to...

EUVD-2026-36286

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which...

CVE-2026-45178

CVE-2026-45178 affects Idira Secrets Manager Self-Hosted up to version 13.8.0, where improper access control exists in internal cluster endpoints. A remote, authenticated attacker with standard node-level credentials could exploit these endpoints to retrieve unauthorized secrets or trigger a deni...

CVE-2026-45178 Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial ...

CVE-2026-45178 Idira Secrets Manager Self-Hosted: Improper Access Control in Internal Cluster Endpoints

Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial ...

Malicious code in @snowsight/debug-tooling (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8ca444a9a90c96e463edeafef6a8f5ebdcc91dd128361d2b2aa42b6897cc48e7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in experian-analytics-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0b17ea66ee9c256e21971184546b027011520942070236a348fe0da478b5ac66 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5670 Malicious code in pui-diagnostics (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f05c21e14c3c230fc88a2e0513e8dcd1ba8eda06a21ee1371dd5277b4280740a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-C2GF-V879-257J netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion

Impact The DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec gzip, deflate, zstd and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf...

netty-codec-http2: ByteBuf Reference-Count Leak in DelegatingDecompressorFrameListener Leads to Memory Exhaustion

Impact The DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the appropriate decompression codec gzip, deflate, zstd and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled ByteBuf...