Lucene search
K

61 matches found

OSV
OSV
added 2026/06/24 8:32 p.m.4 views

CVE-2026-52812 Gogs: LFS dedupe path leaks private repo content across tenants

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid r...

7.1CVSS6AI score0.00236EPSS
Exploits0References6
OSV
OSV
added 2026/06/23 5:10 p.m.7 views

GHSA-6P9M-Q3JP-47H4 Gogs: LFS dedupe path leaks private repo content across tenants

Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid row pointing at it without verifying the request body hash...

7.1CVSS6AI score0.00236EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/23 5:10 p.m.12 views

Gogs: LFS dedupe path leaks private repo content across tenants

Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid row pointing at it without verifying the request body hash...

7.1CVSS6AI score0.00236EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.35 views

PT-2026-51630

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Git LFS storage is content-addressed by OID Object Identifier alone, while per-repository authorization is managed in the lfs object table. The serveUpload function skips the re-upload process when an...

7.1CVSS5.8AI score0.00236EPSS
Exploits0References10
NVD
NVD
added 2026/04/28 12:16 a.m.8 views

CVE-2026-41362

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

4.3CVSS0.00274EPSS
Exploits0References4
OSV
OSV
added 2026/04/27 11:24 p.m.3 views

CVE-2026-41362 OpenClaw 2026.2.19 through 2026.3.30 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

2.3CVSS6AI score0.00274EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/27 11:24 p.m.10 views

CVE-2026-41362

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

4.3CVSS5.3AI score0.00274EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/04/27 11:24 p.m.13 views

CVE-2026-41362

OpenClaw 2026.2.19 up to 2026.3.31 is affected by an improper cache isolation in the Zalo webhook replay-dedupe mechanism shared across authenticated webhook targets. An attacker controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on other a...

4.3CVSS5.3AI score0.00274EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/27 11:24 p.m.31 views

CVE-2026-41362 OpenClaw 2026.2.19 through 2026.3.30 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

4.3CVSS0.00274EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/24 12:31 a.m.6 views

EUVD-2026-25338

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS5.8AI score0.00278EPSS
Exploits0References4
OSV
OSV
added 2026/04/24 12:31 a.m.3 views

GHSA-6477-WVJJ-47V6 Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows...

6.3CVSS5.7AI score0.00278EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/24 12:31 a.m.10 views

Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows...

6.3CVSS5.7AI score0.00278EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/04/23 10:16 p.m.6 views

CVE-2026-41354

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS0.00278EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/23 9:58 p.m.4 views

CVE-2026-41354

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS5.8AI score0.00278EPSS
Exploits0References4
CVE
CVE
added 2026/04/23 9:58 p.m.16 views

CVE-2026-41354

OpenClaw

6.3CVSS5.8AI score0.00278EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/23 9:58 p.m.3 views

CVE-2026-41354 OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS5.9AI score0.00278EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/23 9:58 p.m.38 views

CVE-2026-41354 OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS0.00278EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.7 views

PT-2026-34785

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

6.3CVSS5.8AI score0.00278EPSS
Exploits0References5
OSV
OSV
added 2026/04/07 6:15 p.m.7 views

GHSA-RXMX-G7HR-8MX4 OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. Impact Cross-conversation or cross-sender collisions could cau...

6.3CVSS5.8AI score0.00278EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/07 6:15 p.m.10 views

OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. Impact Cross-conversation or cross-sender collisions could cau...

6.3CVSS5.9AI score0.00278EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder