754 matches found
CVE-2026-40284
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page,...
CVE-2026-40284
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page,...
EUVD-2026-23527
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page,...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007563)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007563 advisory. In the Linux kernel, the following vulnerability has been resolved: blk-mq: cancel blk-mq dispatch work in both blkcleanupqueue and diskrelease For avoiding to slow...
PT-2026-33512
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Destinatário" field. The payload is stored and later executed when viewing the dispatch page,...
CVE-2026-35652
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...
CVE-2026-35652 OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...
CVE-2026-35652
OpenClaw is affected before version 2026.3.22 by an authorization bypass in interactive callback dispatch. The flaw allows non-allowlisted senders to invoke action handlers by dispatching callbacks before normal security validation completes, enabling unauthorized actions. The CVE notes a MEDIUM ...
CVE-2026-35652
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...
EUVD-2026-21450
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...
CVE-2026-35652 OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...
CVE-2026-5998 zhayujie chatgpt-on-wechat CowAgent API Memory Content Endpoint service.py dispatch path traversal
A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This manipulation of the argument filename causes path traversal. The attack can be initiated remotely. Th...
Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before...
PT-2026-31963
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling...
CVE-2026-35627
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through...
EUVD-2026-19728
Emissary has GitHub Actions Shell Injection via Workflow Inputs...
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Summary Server functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on...
Cross-site Request Forgery (CSRF)
Overview rwsdk is a Build fast, server-driven webapps on Cloudflare with SSR, RSC, and realtime Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the server function dispatch process. An attacker can cause unauthorized state-changing operations by tricking a...
GHSA-4P4F-FC8Q-84M3 OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Summary Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check. Impact A loaded attacker-controlled page...
CVE-2026-35580
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflowdispatch inputs were interpolated directly into shell commands via $ expression syntax. An attacker with repository write access could...