Lucene search
K

4 matches found

OSV
OSV
added 2026/07/02 4:34 p.m.9 views

GHSA-JVM4-4J77-39P6 OpenClaw: QQBot streaming command could mutate config without explicit allowFrom

Summary QQBot streaming command could mutate config without explicit allowFrom. In affected versions, a QQBot sender reaching the affected command could change configuration without requiring an explicit non-wildcard allowlist entry. This advisory is scoped to the named feature and configuration...

8.7CVSS6AI score0.00172EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/14 8:15 p.m.9 views

Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...

5.1CVSS5.8AI score0.00204EPSS
Exploits0References10Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/14 8:22 p.m.4 views

CVE-2026-22818

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly defi...

8.2CVSS6.5AI score0.00118EPSS
Exploits0References1
OSV
OSV
added 2024/09/10 7:42 p.m.52 views

GHSA-M6FV-JMCG-4JFG send vulnerable to template injection that can lead to XSS

Impact passing untrusted user input - even after sanitizing it - to SendStream.redirect may execute untrusted code Patches this issue is patched in send 0.19.0 Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any...

5CVSS6.9AI score0.00511EPSS
Exploits0References5
Rows per page
Query Builder