Lucene search
K

117 matches found

RedhatCVE
RedhatCVE
added 6 days ago7 views

CVE-2026-39197

A flaw was found in Vector. A remote attacker could send a specially crafted compressed request to Vector's HTTP ingest sources, causing unbounded memory allocation during decompression and leading to a Denial of Service DoS. Mitigation Restrict network access to Vector's HTTP and gRPC ingest...

7.5CVSS6AI score0.00289EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.3 views

Malicious code in enbd-react-lib (npm)

The enbd-react-lib package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization an 'enbd' interna...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.3 views

Malicious code in @flex-ng/filter-pipe (npm)

The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @flex-n...

6.1AI score
Exploits0References3
OSV
OSV
added 2026/07/02 4:18 p.m.5 views

GHSA-P2FH-F5FC-44HR OpenClaw: memory-wiki ingest could read local files with operator.write scope

Summary memory-wiki ingest could read local files with operator.write scope. In affected versions, a Gateway caller with operator.write access to the plugin tool could read arbitrary local file paths instead of staying within the intended ingest sources. This advisory is scoped to the named featu...

6.5CVSS6.1AI score0.00375EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 4:21 p.m.22 views

CVE-2026-55447

Langflow’s BaseFileComponent family (including Read File, DoclingInlineComponent, DoclingServe, DoclingRemoteComponent, NvidiaIngestComponent, VideoFileComponent, UnstructuredComponent) is affected by CVE-2026-55447. The underlying issue is in base_file.py: _unpack_bundle TAR extraction does not ...

9.6CVSS5.9AI score0.00411EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/23 4:21 p.m.3 views

CVE-2026-55447

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to t...

9.6CVSS5.9AI score0.00411EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/06/23 4:21 p.m.51 views

CVE-2026-55447 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to t...

9.6CVSS0.00411EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/13 12:34 a.m.12 views

EUVD-2026-36613

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...

7.1CVSS5.4AI score0.00375EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/12 11:9 p.m.5 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the memory-wiki ingest process when an authenticated user with operator.write scope specifies arbitrary local file paths. An attacker can access sensitive local...

7.1CVSS6.5AI score0.00375EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 10:16 p.m.11 views

CVE-2026-53825

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...

7.1CVSS0.00375EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.33 views

CVE-2026-53825 OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...

7.1CVSS0.00375EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.8 views

CVE-2026-53825 OpenClaw < 2026.4.7 - Arbitrary Local File Read via memory-wiki Ingest with operator.write Scope

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file...

7.1CVSS5.4AI score0.00375EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.24 views

CVE-2026-53825

OpenClaw prior to 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature. Authenticated Gateway operators with operator.write scope can specify arbitrary local file paths to import content into wiki memory, bypassing access restrictions and reading local files ou...

7.1CVSS5.4AI score0.00375EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.21 views

PT-2026-49029

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.7 Description The memory-wiki ingest feature allows authenticated Gateway operators with operator.write scope to read local files outside of the intended ingest sources. By specifying arbitrary local file path...

7.1CVSS5.4AI score0.00375EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/06 6:43 p.m.13 views

CVE-2026-45327

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS5.5AI score0.00357EPSS
Exploits0References1
NVD
NVD
added 2026/06/05 6:17 p.m.11 views

CVE-2026-45327

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS0.00357EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/05 4:57 p.m.34 views

CVE-2026-45327 TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS0.00357EPSS
Exploits0References3
CVE
CVE
added 2026/06/05 4:57 p.m.24 views

CVE-2026-45327

TinyIce (Go) versions 0.8.95–2.4.1 expose a missing authentication on the WebRTC ingest endpoint POST /webrtc/source-offer?mount=, enabling unauthenticated stream injection. The issue is fixed in v2.5.0 by requiring either HTTP Basic auth or a ?password= query parameter, verifying the supplied pa...

8.2CVSS5.5AI score0.00357EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/05 4:57 p.m.9 views

EUVD-2026-34863

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS5.5AI score0.00357EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/05 4:57 p.m.8 views

CVE-2026-45327 TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

8.2CVSS5.5AI score0.00357EPSS
Exploits0References3
Rows per page
Query Builder