CVE-2026-38527

A Server-Side Request Forgery SSRF in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request...

CVE-2026-6224

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be...

EUVD-2026-22089

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this...

CVE-2026-6224 nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be...

CVE-2026-40041

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

CVE-2026-40041

CVE-2026-40041 affects Pachno 1.0.6 and describes a cross-site request forgery (CSRF) vulnerability arising from missing CSRF protections on state-changing endpoints. Attackers can craft requests that execute actions in an authenticated user context via attacker-controlled sites, targeting login,...

Prototype Pollution

LangSmith is vulnerable to Prototype Pollution. The vulnerability is due to an incomplete prototype pollution fix in its internally vendored lodash set utility, where the baseAssignValue function only guards against the proto key, but fails to prevent traversal via constructor.prototype, and...

PT-2026-32495

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

ytDownloader 代码注入漏洞

ytDownloader is a multi-platform audio and video download tool developed by Andrew. Versions of ytDownloader 3.20.2 and earlier had a code injection vulnerability, which stemmed from a cross-site scripting attack involving the function createTextNode in the Error Details Panel component...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in state-changing routes. An attacker can upload or delete files, create directories, and remove access control policies by sending unauthenticated requests to endpoints such as...

CVE-2026-40190 LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. The baseAssignValue function only guards against the...

CVE-2026-35063

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

GHSA-8WRQ-FV5F-PFP2 parisneo/lollms vulnerable to stored XSS in the social feature

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1115

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1115 Stored XSS in parisneo/lollms

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1115 Stored XSS in parisneo/lollms

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1115

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

EUVD-2026-21120

OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files,...

Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7xr2-q9vf-x4r5. This link is maintained to preserve external references. Original Description OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers tha...

PT-2026-31885

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0 Description A Stored Cross-Site Scripting XSS vulnerability exists in the social feature of parisneo/lollms. The vulnerability is located in the create post function within backend/routers/social/ init...