SUSE-SU-2026:20498-1 Security update for the Linux Kernel

The SUSE Linux Enterprise Micro 6.0 and Micro 6.1 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2023-54013: interconnect: Fix locking for runpm vs reclaim bsc1256280. - CVE-2025-38321: smb: Log an error when closeallcacheddirs fails bsc1246328. ...

GO-2026-4527 Dagu affected by unauthenticated RCE via inline DAG spec in default configuration in github.com/dagu-org/dagu

Dagu affected by unauthenticated RCE via inline DAG spec in default configuration in github.com/dagu-org/dagu...

CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/packageskill.py a local helper script used when authors package skills previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory...

CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/packageskill.py a local helper script used when authors package skills previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory...

CVE-2026-26192

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.7.0, aanually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML...

CVE-2026-27009

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute...

CVE-2026-27009

OpenClaw (npm package openclaw) contains a stored XSS in the Control UI that occurs when rendering the assistant identity (name/avatar) into an inline script tag without proper escaping. The issue affects versions prior to 2026.2.15 (

CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute...

CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute...

CVE-2026-27009

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the POST /api/v2/dag-runs endpoint, which accepts and executes inline YAML specifications without authentication in the default configuration. An attacker can execute arbitrary commands o...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the POST /api/v2/dag-runs endpoint, which accepts and executes inline YAML specifications without authentication in the default configuration. An attacker can execute arbitrary commands o...

Dagu affected by unauthenticated RCE via inline DAG spec in default configuration

Summary Dagu's default configuration ships with authentication disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default. Details...

Amazon Linux 2 : kernel, --advisory ALAS2KERNEL-5.10-2026-113 (ALASKERNEL-5.10-2026-113)

The version of kernel installed on the remote host is prior to 5.10.248-247.988. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.10-2026-113 advisory. In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the...

OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

Summary Stored XSS in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Affected Packages ...

Cross-site Scripting (XSS)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of assistant identity values into an inline tag without proper escaping. An attacker can execute arbitrary JavaScript in the Control UI ...

PT-2026-20792

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15 Description A stored Cross-Site Scripting XSS issue exists in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without proper escaping. A crafted value containing cou...

CVE-2026-23141

A flaw was found in the Linux kernel's btrfs filesystem send functionality. In the rangeisholeinparent function, the code accesses the diskbytenr field of a file extent item without first checking if it is an inline extent. For inline extents, the data begins at the diskbytenr field offset, so...

SUSE CVE-2026-23141

In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline extents in rangeisholeinparent Before accessing the diskbytenr field of a file extent item we need to check if we are dealing with an inline extent. This is because for inline extents their data star...

Siemens SIMATIC S7-1500 Reachable Assertion (CVE-2025-38701)

In the Linux kernel, the following vulnerability has been resolved: ext4: do not BUG when INLINEDATAFL lacks system.data xattr A syzbot fuzzed image triggered a BUGON in ext4updateinlinedata when an inode had the INLINEDATAFL flag set but was missing the system.data extended attribute. Since this...