Amazon Linux 2023 : bpftool6.12, kernel6.12, kernel6.12-devel (ALAS2023-2026-1487)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1487 advisory. In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raiddisks via sysfs CVE-2025-71225 In the Linux kernel, the following vulnerability has bee...

CVE-2026-33885 Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, the external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions an...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the readflow helper in src/backend/base/langflow/api/v1/flows.py. An attacker can read, modify, or delete another user's flow by supplying that flow's UUID to the GET, PATCH, or DELETE /api/v1/flow/flowid...

Important: kernel6.12

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raiddisks via sysfs CVE-2025-71225 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix reservation leak in some error paths when inserting inline extent...

CVE-2026-33620 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...

Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Impact The external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. Patches This has been fixed in 5.73.16 and 6.7.2...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via URL parsing differentials in unauthenticated endpoints. An attacker can redirect users to external sites by crafting malicious URLs that bypass external URL detection after actions such as form submissions or...

CVE-2026-33017

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses...

Langflow Code Injection Vulnerability

Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication...

CVE-2026-32900

OpenClaw CVE-2026-32900 affects versions prior to 2026.2.22. The vulnerability is an authorization bypass in allowlist mode due to allow-always persistence at the wrapper level, enabling approval-bypass execution of different payloads. This allows attackers to approve benign wrapped system.run co...

GHSA-PFV5-RPCW-X34X Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6j27-pc5c-m8w8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistenc...

GHSA-VWMF-PQ79-VJVX Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

Summary The POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow...

Toward Secure Web to ERP Payment Flows: A Case Study of HTTP Header Trust Failures in SAP Based Systems

Electronic banking portals often sit in front of enterprise resource planning ERP systems such as SAP, mediating payment requests between users and back end financial infrastructure. When these integrations place excessive trust in client supplied HTTP metadata, subtle design flaws can arise that...

Phishing in 2026: 3 Attack Tactics That Beat Most Enterprise Defenses

Phishing drives about 90% of cyberattacks in 2026, using tactics like encrypted flows, QR code scams, and trusted cloud platforms to steal credentials...

CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling timeout, kick, ban uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and...

CVE-2026-27484

OpenClaw (npm openclaw) versions 2026.2.17 and earlier are vulnerable: moderation actions (timeout, kick, ban) incorrectly use sender identity from request parameters in tool-driven flows instead of trusted runtime sender context. This allows a non-admin user, in setups where moderation actions a...

GHSA-WH94-P5M6-MR7J OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

Overview Discord moderation action handling timeout, kick, ban used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. Impact In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin...

OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows

Overview Discord moderation action handling timeout, kick, ban used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. Impact In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin...