Missing Authentication for Critical Function

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the /extension endpoint when the Chrome extension relay feature is enabled. An attacker can gain unauthorized access to extension-relay...

GHSA-PFV7-RR5M-QMV6 OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint

Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact Thi...

CVE-2024-2356

A Local File Inclusion LFI vulnerability exists in the '/reinstallextension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post"/reinstallextension" route. This vulnerability allows attackers to inject a malicious name parameter, leading ...

CVE-2024-2356

The CVE-2024-2356 family affects parisneo/lollms-webui, with a Local File Inclusion (LFI) in the /reinstall_extension endpoint. The vulnerability targets the name parameter of the POST route, allowing an attacker to inject a malicious value that causes the server to load and execute arbitrary Pyt...

EUVD-2024-27309

A Local File Inclusion LFI vulnerability exists in the '/reinstallextension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post"/reinstallextension" route. This vulnerability allows attackers to inject a malicious name parameter, leading ...

UBUNTU-CVE-2024-47878

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing...

CVE-2024-4320

A remote code execution RCE vulnerability exists in the '/installextension' endpoint of the parisneo/lollms-webui application, specifically within the @router.post"/installextension" route handler. The vulnerability arises due to improper handling of the name parameter in the...

PT-2024-30366 · Unknown · Parisneo/Lollms-Webui

Name of the Vulnerable Software and Affected Versions: parisneo/lollms-webui affected versions not specified Description: A remote code execution RCE vulnerability exists in the '/install extension' endpoint of the parisneo/lollms-webui application. The vulnerability arises due to improper handli...

jupyterlab-lsp Security Vulnerabilities

jupyterlab-lsp is a tool that provides coding help for JupyterLab using the Language Server protocol. A security vulnerability exists in jupyterlab-lsp 2.2.1 and earlier versions, which stems from a lack of authentication of the jupyter-lsp server extension endpoint, allowing an attacker to acces...

Octopus Deploy Security Vulnerability

Octopus Deploy is an automation tool for .NET, Java, and other application development and deployment from Octopus Deploy Australia. Octopus Deploy suffers from a security vulnerability that stems from the ability of a user with low privileges to interact with an extension endpoint...