295 matches found
EUVD-2026-43565
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
EUVD-2026-43566
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62188
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62187
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
CVE-2026-62188 OpenClaw < 2026.6.9 Feishu Authorization Bypass
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62188
OpenClaw @openclaw/feishu (versions
CVE-2026-62187
The CVE affects the npm package @openclaw/feishu (OpenClaw Feishu tools). Versions up to and including 2026.6.6 could ignore per-account disablement, allowing a lower-trust caller or a configured input path to perform actions that should require stronger authorization. The consequence is unauthor...
CVE-2026-62187 OpenClaw < 2026.6.9 Feishu tools Authorization Bypass
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
CVE-2026-53961 Discourse: Forged AWS SNS bounce notifications can disable a targeted user's email (missing TopicArn binding)
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish...
GHSA-CQ9C-6W48-QMFG @actual-app/sync-server: Disabled OpenID users keep access through existing session tokens
Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account. Details The...
Insufficient Session Expiration
Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Insufficient Session Expiration due to the lack of user status verification in the validateSession process. An attacker can maintain unauthorized access to server endpoints and sensiti...
Security Bulletin: SSLv2 DROWN Vulnerability (CVE-2016-0800)
Question Security Bulletin: SSLv2 DROWN Vulnerability CVE-2016-0800 "Business Unit":"code":"BU059","label":"IBM Software w/o TPS","Product":"code":"SS8NDZ","label":"IBM Aspera","Component":"","Platform":"code":"PF025","label":"Platform Independent","Version":"All Versions","Edition":"","Line of...
CVE-2026-53982 Cap-go Console < 12.28.2 Account Deletion DoS via Device Identifier Association
Cap-go Console 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the...
CVE-2026-46657
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
CVE-2026-46657 Bludit's persistent authentication tokens not revoked upon account disablement
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
EUVD-2026-35085
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
CVE-2026-46657 Bludit's persistent authentication tokens not revoked upon account disablement
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
CVE-2026-46657 Bludit's persistent authentication tokens not revoked upon account disablement
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear t...
CVE-2026-4913
Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled...
SUSE CVE-2026-46255
In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-edma: don't explicitly disable clocks in .remove The clocks in fsledmaengine::muxclk are allocated and enabled with devmclkgetenabled, which automatically cleans these resources up, but these clocks are also manual...