570 matches found
CVE-2026-39409 vulnerabilities
Vulnerabilities for packages: opensearch-dashboards-fips, gemini-cli, opensearch-dashboards, librechat, langfuse-fips, kibana, langfuse...
Vulnerability Detection with Interprocedural Context in Multiple Languages: Assessing Effectiveness and Cost of Modern LLMs
Large Language Models LLMs have been a promising way for automated vulnerability detection. However, most prior studies have explored the use of LLMs to detect vulnerabilities only within single functions, disregarding those related to interprocedural dependencies. These studies overlook...
CVE-2025-64340
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters e.g., & can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run wit...
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth state value. Because the provider reflected state back in the redirect URL, the verifier could be exposed alongside the authorization code. Impact Anyone who could capture the redirect URL could learn bo...
EUVD-2026-18849
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it...
CVE-2026-34511
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...
CVE-2025-64340 FastMCP has a Command Injection vulnerability - Gemini CLI
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters e.g., & can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run wit...
CVE-2025-64340
FastMCP (the MCP framework) is affected prior to version 3.2.0. A vulnerability arises when server names contain shell metacharacters (for example, &); this can trigger command injection on Windows during fastmcp install claude-code or fastmcp install gemini-cli. The install commands use subproce...
CVE-2025-64340 FastMCP has a Command Injection vulnerability - Gemini CLI
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters e.g., & can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run wit...
PT-2026-30235
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...
OpenClaw 安全特征问题漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.2 had security feature vulnerabilities. These vulnerabilities stemmed from the reuse of the PKCE verifier as a state parameter in the Gemini OAuth process, which could lead to t...
GHSA-M8X7-R2RG-VH5G FastMCP has a Command Injection vulnerability - Gemini CLI
Server names containing shell metacharacters e.g., & can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are...
Asking AI for personal advice is a bad idea, Stanford study shows
Stanford computer scientists just proved what therapists already suspected: AI chatbots will agree with almost anything you say to keep you happy. The researchers caught these systems validating dangerous decisions just to maintain user engagement. That's a worrying development, especially given...
GHSA-J3Q9-MXJG-W52F vulnerabilities
Vulnerabilities for packages: kibana, wazuh-dashboard, code-server, opensearch-dashboards-fips, redisinsight, saf, thingsboard, vitess, tileserver-gl, tileserver-gl-fips, opensearch-dashboards, langfuse-fips, gemini-cli, langfuse...
GHSA-27V5-C462-WPQ7 vulnerabilities
Vulnerabilities for packages: kibana, wazuh-dashboard, code-server, opensearch-dashboards-fips, redisinsight, saf, thingsboard, vitess, tileserver-gl, tileserver-gl-fips, opensearch-dashboards, langfuse-fips, gemini-cli, langfuse...
CVE-2026-4926 vulnerabilities
Vulnerabilities for packages: kibana, wazuh-dashboard, code-server, opensearch-dashboards-fips, redisinsight, saf, thingsboard, vitess, tileserver-gl, tileserver-gl-fips, opensearch-dashboards, langfuse-fips, gemini-cli, langfuse...
CVE-2026-4923 vulnerabilities
Vulnerabilities for packages: kibana, wazuh-dashboard, code-server, opensearch-dashboards-fips, redisinsight, saf, thingsboard, vitess, tileserver-gl, tileserver-gl-fips, opensearch-dashboards, langfuse-fips, gemini-cli, langfuse...
MAL-2026-2268 Malicious code in gemini-ai-api (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 db2be37ea455b54b825242a3f66310fdf3f70e50b1dc1a234fa3ebb534afa857 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...