OPENSUSE-SU-2026:20611-1 Security update for tomcat

This update for tomcat fixes the following issues: - CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. - CVE-2026-25854: Occasionally open redirect bsc1261851. - CVE-2026-29129: TLS cipher order is not preserved bsc1261852. - CVE-2026-29145: OCSP checks sometimes soft-fail...

OPENSUSE-SU-2026:20612-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: - Update to Tomcat 10.1.54 - CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. - CVE-2026-25854: Occasionally open redirect bsc1261851. - CVE-2026-29129: TLS cipher order is not preserved bsc1261852. - CVE-2026-29145: OC...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013833)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013833 advisory. In the Linux kernel, the following vulnerability has been resolved: ext4: don't allow journal inode to have encrypt flag Mounting a filesystem whose journal inode ha...

Linux Distros Unpatched Vulnerability : CVE-2026-40611

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Let's Encrypt client and ACME library written in Go Lego. Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write...

CVE-2026-40611

Let's Encrypt client and ACME library written in Go Lego. Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to...

UBUNTU-CVE-2026-40611

Let's Encrypt client and ACME library written in Go Lego. Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011087)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011087 advisory. In the Linux kernel, the following vulnerability has been resolved: ext4: don't allow journal inode to have encrypt flag Mounting a filesystem whose journal inode ha...

Cleartext Storage in a File or on Disk

Overview Affected versions of this package are vulnerable to Cleartext Storage in a File or on Disk via the encryptauthsettings function. An attacker can access sensitive authentication information stored in cleartext by reading the affected file or disk location remotely. Remediation Upgrade...

CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...

CVE-2026-6598

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...

CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...

Langflow 安全漏洞

Langflow is an open-source visualization framework developed by Langflow for building multi-agent and RAG applications. Versions of Langflow 1.8.3 and earlier contain security vulnerabilities. These vulnerabilities stem from incorrect operations on the functions createproject and...

Insecure Default Initialization of Resource

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via improper validation of the encryptKey configuration and blank callback tokens. An attacker can ga...

GHSA-XH72-V6V9-MWHC OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

PT-2026-38242

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.15 Description An authentication bypass exists in the Feishu webhook and card-action validation. When the encryptKey configuration is missing or callback tokens are blank, the system fails open rather than...

Exploit for Missing Encryption of Sensitive Data in Apache Tomcat

CVE-2026-34486 — Apache Tomcat EncryptInterceptor RCE Apa...

Exploit for Missing Encryption of Sensitive Data in Apache Tomcat

CVE-2026-34486 Apache Tomcat EncryptInterceptor Bypass Vulnera...

BIT-TOMCAT-2026-29146 Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0 through 11.0.18, from 10.0.0 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended t...

BIT-TOMCAT-2026-34486 Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the...