Externally Controlled Reference to a Resource in Another Sphere

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Externally Controlled Reference to a Resource in Another Sphere via the dotenv loading process. An attacker can redirect runtime traffic away from operator-configured endpoints by setting...

python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback

Summary setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Details The rewrite context manager in dotenv/main.py is used by both setkey...

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the setkey and unsetkey functions. An attacker can overwrite arbitrary files by creating a crafted symbolic link that is followed during a cross-device rename fallback. PoC python import os import sys import tempfile...

1password-secrets (>=0.0.1.dev107 <=0.4.0), 42towels (>=0.1.1001 <=0.1.1011) +2464 more potentially affected by CVE-2026-28684 via python-dotenv (>=1.0.0 <=1.2.1)

python-dotenv PYPI version =1.0.0, =0.0.1.dev107, =0.1.1001, =0.0.1, =2.3.0, =0.15.1, =0.1.0, =0.1.0, =1.0.0, =2.3.9, =1.18.8, =0.1.0b0, =0.0.1, =0.4.0, =0.0.0, =0.0.9 and more Source cves: CVE-2026-28684 Source advisory: SNYK:PYTHON-PYTHONDOTENV-16115271...

Linux Distros Unpatched Vulnerability : CVE-2026-28684

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv...

External Control of System or Configuration Setting

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the handling of the .env file, which can override the trusted root directory for bundled plugins. An attacker can influence the...

EUVD-2025-121251

Malicious code in titan-dotenv-rigel-vortex npm...

Hela (>=0.1.0 <=0.1.4), IMAPServer (=0.2.0) +1257 more potentially affected by unknown CVE via dotenv (>=0.10.1 <=0.9.0)

dotenv CARGO version =0.10.1, =0.1.0, =0.1.0, =0.2.0-beta.4, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =0.4.0, =0.4.3 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2021-0141...

Command execution vulnerability in dotenv

dotenv is a library that enables Node.js to load environment variables from files. A command execution vulnerability exists in dotenv. An attacker can exploit this vulnerability to execute system commands...