Origin Validation Error

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Origin Validation Error via the Slack thread context. An attacker can inject unauthorized messages into the agent context by replying to allowlisted users in Slack threads, thereby...

GHSA-P49J-V9WC-WG57 vulnerabilities

Vulnerabilities for packages: openbao...

PT-2026-35057

Name of the Vulnerable Software and Affected Versions Skim affected versions not specified Description The generate-files job in the '.github/workflows/pr.yml' file checks out code from an attacker-controlled fork and executes it via the cargo run command. This process allows access to the SKIM R...

GHSA-3QPV-XF3V-MM45

creationtimestamp| type| source ---|---|--- 2026-04-23 23:27:16+00:00| seen| Telegram/IhrbuMncMOQ2aXKn55DBnsRKZnrdzyQXI4i7tcZ3JysOVtE...

CVE-2026-40161

A flaw was found in Tekton Pipelines. A tenant with permissions to create TaskRun or PipelineRun resources can exploit this vulnerability. By omitting the Git API token parameter and pointing the serverURL to an attacker-controlled endpoint, the system-configured Git API token such as a GitHub...

GHSA-F228-CHMX-V6J6

creationtimestamp| type| source ---|---|--- 2026-04-23 21:26:14+00:00| published-proof-of-concept| Telegram/LhBAsLXZuywUMfmIXbSwPnWzjb6RJaoGfmWe6gs8QchtB8o...

DNS Rebinding

Overview copilot-api is a Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code! Affected versions of this package are vulnerable to DNS Rebinding in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header...

GHSA-PG25-7CX5-CVCM vulnerabilities

Vulnerabilities for packages: python...

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Bitwarden CLI, the command-line interface for the password manager Bitwarden, has reportedly been compromised as part of a newly discovered and ongoing Checkmarx supply chain campaign, according to findings from JFrog and Socket. "The affected package version appears to be @bitwarden/[email protected]...

GHSA-CCCX-M78H-M3XW vulnerabilities

Vulnerabilities for packages: python...

Hackers Use Hidden Website Instructions in New Attacks on AI Assistants

Cybersecurity researchers at Forcepoint uncover new indirect prompt injection attacks that use hidden website code to exploit AI assistants like GitHub Copilot...

CVE-2026-41640

creationtimestamp| type| source ---|---|--- 2026-04-23 09:30:40+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-41640.yaml 2026-04-24 21:02:31+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mkbgeo6kxw2t 2026-05-07...

CVE-2025-59136

creationtimestamp| type| source ---|---|--- 2026-04-23 07:48:04+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2025/CVE-2025-59136.yaml 2026-04-24 21:02:33+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mkbgeoldbm2x...

SUSE CVE-2026-40903

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUBTOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6...

Embedded Malicious Code

Overview @bitwarden/cli is an A secure and free password manager for all of your devices. Affected versions of this package are vulnerable to Embedded Malicious Code included in a compromised release that is suspected to be part of the Checkmarx April compromise. The payload is delivered via...

GHSA-39Q2-94RC-95CP vulnerabilities

Vulnerabilities for packages: langfuse, opensearch-dashboards...

GHSA-5CWG-9F6J-9JVX

creationtimestamp| type| source ---|---|--- 2026-04-22 19:23:16+00:00| seen| Telegram/y1XO5mBm2flLcrjS5YpFLtlumq47M984z8tJCHSwnxFgvg...

Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain

Cybersecurity researchers have warned of malicious images pushed to the official "checkmarx/kics" Docker Hub repository. In an alert published today, software supply chain security company Socket revealed that unknown threat actors managed to have overwritten existing tags, including v2.1.20 and...

Unsafe Dependency Resolution

Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the artifact creation process. An attacker can gain unauthorized access to sensitive credentials by extracting workflow artifacts containing the GITHUBTOKEN. Remediation Upgrade...

Unsafe Dependency Resolution

Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the artifact creation process. An attacker can gain unauthorized access to sensitive credentials by extracting workflow artifacts containing the GITHUBTOKEN. Remediation Upgrade...