OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.29 contained security vulnerabilities. These vulnerabilities stemmed from SSRF policy bypasses in browser debugging and route exports, allowing for the reuse of already opened...

Samba 访问控制错误漏洞

Samba is an open-source suite of standard Windows interoperability programs for Linux and Unix systems. Samba has a control access vulnerability that stems from the lack of SMB-layer access checks when handling NTFS-style symbolic links. This vulnerability allows authenticated users to create or...

Malicious code in vite-plugin-css-blend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a47fa75fbd028d1aca89ca790036f760c76d8e486175505ef4a8f59f33e7c76 The package is published as a Vite CSS plugin but exposes no Vite plugin API. Its documented applyGlobalStylespalette, accents export, when called on...

MAL-2026-4706 Malicious code in vite-plugin-css-blend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a47fa75fbd028d1aca89ca790036f760c76d8e486175505ef4a8f59f33e7c76 The package is published as a Vite CSS plugin but exposes no Vite plugin API. Its documented applyGlobalStylespalette, accents export, when called on...

Request Tracker 安全漏洞

Request Tracker is a problem and ticket tracking system developed by Request Tracker Inc. Versions prior to Request Tracker 5.0.10, as well as versions 6.0.0 to 6.0.2, contained security vulnerabilities. These vulnerabilities stemmed from the fact that data controlled by users during spreadsheet...

Malicious code in 11j (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869 the analysis identified unambiguous malicious behavior in log.js the package main: an IIFE executes on require/import that monkey-patches...

MAL-2026-3670 Malicious code in 11j (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ad371791d84a3c28ca12b62bae45a07567847b7df025c93611f8f504a1c869 the analysis identified unambiguous malicious behavior in log.js the package main: an IIFE executes on require/import that monkey-patches...

CVE-2026-6214 Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listenforsavingexportschedule function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration,...

CVE-2026-6214 Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listenforsavingexportschedule function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration,...

SUSE CVE-2026-43088

In the Linux kernel, the following vulnerability has been resolved: net: afkey: zero aligned sockaddr tail in PFKEY exports PFKEY export paths use pfkeysockaddrsize when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, pfkeysockaddrfill initializes only th...

EUVD-2026-27586

In the Linux kernel, the following vulnerability has been resolved: net: afkey: zero aligned sockaddr tail in PFKEY exports PFKEY export paths use pfkeysockaddrsize when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, pfkeysockaddrfill initializes only th...

CVE-2026-43181 gpio: sysfs: fix chip removal with GPIOs exported over sysfs

In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the pare...

CVE-2026-43088

In the Linux kernel, the following vulnerability has been resolved: net: afkey: zero aligned sockaddr tail in PFKEY exports PFKEY export paths use pfkeysockaddrsize when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, pfkeysockaddrfill initializes only th...

CVE-2026-5753

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmveSchedulesController::save' handler for 'adminpostai1wmscheduleeventsave' not verifying user capabilities before saving...

EUVD-2026-27522

The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmveSchedulesController::save' handler for 'adminpostai1wmscheduleeventsave' not verifying user capabilities before saving...

WordPress plugin All-in-One WP Migration Unlimited Extension 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2026-5335

The CVE-2026-5335 affects the Magic Export & Import WordPress plugin (versions before 1.2.0). The root cause is that exported CSV files are stored at a publicly accessible location, enabling unauthenticated disclosure of sensitive user information. Affected component is the export/import facility...

WordPress plugin Magic Export & Import 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-40182

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format OTLP, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory...

kcp's cache server is accessible without authentication or authorization checks

Summary The cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. Details The cache server is routed in the pre-mux chain in the shard code. The...