453 matches found
PT-2026-26019
Summary For host=node executions, approval context could be bypassed after approval-time by rebinding a writable parent symlink in cwd while preserving the visible cwd string. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.26 planned next npm release Impact A command...
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch
Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name users/. This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals. Affected Packages / Versions As of 2026-02-14; based on latest...
GHSA-CHM2-M3W2-WCXM OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch
Summary Google Chat allowlisting supports matching by sender email in addition to immutable sender resource name users/. This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals. Affected Packages / Versions As of 2026-02-14; based on latest...
OPENSUSE-SU-2026:20172-1 Security update for cups
This update for cups fixes the following issues: Update to version 2.4.16. Security issues fixed: - CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues bsc1253783. - CVE-2025-58436: slow client communication leads to a possible DoS attack bsc1244057. - CVE-2025-58364:...
CVE-2025-14750
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges...
CVE-2025-14750
CVE-2025-14750 affects Weintek cMT X Series HMI EasyWeb Service. The vulnerability arises from insufficient validation of inputs that are assumed immutable but are externally controllable, enabling a low-privileged user to modify parameters and potentially escalate privileges to account-level acc...
CVE-2025-14750 External Control of Assumed-Immutable Web Parameter in Weintek cMT X Series HMI EasyWeb Service
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges...
CVE-2025-14750 External Control of Assumed-Immutable Web Parameter in Weintek cMT X Series HMI EasyWeb Service
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges...
CVE-2024-34517
The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access...
CVE-1999-0323
FreeBSD mmap function allows users to modify append-only or immutable files...
Apache StreamPark Security Bypass Vulnerability
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. Apache StreamPark suffers from a security bypass vulnerability due to the use of a fixed, immutable encryption key. An attacker could exploit the vulnerability to decrypt...
Use Of Hard-coded Cryptographic Key
Apache StreamPark is vulnerable to use of a hard-coded cryptographic key. The vulnerability is due to Apache StreamPark uses an immutable, embedded key for encryption instead of a securely generated or configurable one, allowing attackers who obtain the key through reverse engineering or source...
EUVD-2025-199680
Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink fails in statuscontents.php causing DoS. Due to the...
CVE-2025-66252
Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink fails in statuscontents.php causing DoS. Due to the...
EUVD-2025-197605
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...
CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...
CVE-2025-64482
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery protections in the file...
CVE-2025-64117
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1761813675 and Tuleap Enterprise Edition prior to versions 16.13-5 and 16.12-8 don't have cross-site request forgery protection in the management of...
CVE-2025-64482
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery protections in the file...
EUVD-2025-150397
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap Community Edition prior to version 16.13.99.1762267347 and Tuleap Enterprise Edition prior to versions 17.01-, 16.13-6, and 16.12-9 don't have cross-site request forgery protections in the file...