RHEL 10 : git-lfs (RHSA-2026:7005)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:7005 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing t...

Oracle Linux 10 : git-lfs (ELSA-2026-7005)

The remote Oracle Linux 10 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2026-7005 advisory. 3.6.1-8 - Rebuild with new Golang Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus has...

git-lfs security update

3.6.1-8 - Rebuild with new Golang...

ALSA-2026:7005 Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 For more details abou...

git-cliff-2.12.0-1.1 on GA media (moderate)

git-cliff-2.12.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:10496-1 Rating: moderate Cross-References: CVE-2025-55159 CVSS scores: CVE-2025-55159 SUSE : 5.8 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H CVE-2025-55159 SUSE : 5.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:...

GO-2026-4909 Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git

Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git...

GO-2026-4910 Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git

Maliciously crafted idx file can cause asymmetric memory consumption in github.com/go-git/go-git...

kernel security update

6.12.0-124.49.1 - Add new Oracle Linux Driver Signing key 1 certificate Orabug: 37985782 - Disable UKI signing Orabug: 36571828 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list...

OPENSUSE-SU-2026:10496-1 git-cliff-2.12.0-1.1 on GA media

These are all security issues fixed in the git-cliff-2.12.0-1.1 package on the GA media of openSUSE Tumbleweed...

GHSA-9GP8-HJXR-6F34 OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Summary Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on...

Improper Privilege Management

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management in the handling of environment variable overrides for proxy, TLS, Docker, and Git TLS controls. An attacker can bypass intended security restrictions by...

OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Summary Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on...

Docker Engine 29.3.1 Multiple Vulnerabilities

The version of the Docker Engine installed on the remote host is prior to 29.3.1. It is therefore affected by multiple vulnerabilities: - CVE-2026-34040: AuthZ plugin authorization bypass vulnerability. Authorization plugins could be bypassed under specific conditions, potentially allowing...

Linux Distros Unpatched Vulnerability : CVE-2026-33762

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git's index decoder for format version 4 fails to validate th...

Linux Distros Unpatched Vulnerability : CVE-2026-34165

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which...

CLEANSTART-2026-MF20926 Security fixes for CVE-2021-38561, CVE-2022-27191, CVE-2025-47911, CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-58190, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-68121, ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 3.1.2-r3, 3.1.2-r4, 3.7.0-r0, 3.7.0-r2

Multiple security vulnerabilities affect the git-lfs-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Overview Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiation 'Algorithm Downgrade' in the TLS 1.3 session resumption logic if the subsequent ClientHello negotiates TLS 1.2 back. An attacker can gain unauthorized access by impersonating a...

OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override

Summary Host execution env sanitization did not block GITTEMPLATEDIR or AWSCONFIGFILE, even though both can redirect trusted tooling to attacker-controlled content. Impact An approved exec request could redirect git or AWS CLI behavior through attacker-controlled configuration and execute untrust...

GHSA-M866-6QV5-P2FG OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override

Summary Host execution env sanitization did not block GITTEMPLATEDIR or AWSCONFIGFILE, even though both can redirect trusted tooling to attacker-controlled content. Impact An approved exec request could redirect git or AWS CLI behavior through attacker-controlled configuration and execute untrust...

EUVD-2026-17427

Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations...