PT-2026-49773

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.23 through 2026.4.23 Description An insecure file permissions issue exists in the config recovery process that restores the OpenClaw.json file with overly broad permissions. Local attackers on shared hosts can exploit...

CVE-2026-41159

Mermaid (mermaid-js) contains a CSS injection vulnerability (CVE-2026-41159) affecting prior releases. Before fixes in v10.9.6 and v11.15.0, its default config allows injecting CSS via fontFamily, themeCSS, and altFontFamily. The injected CSS exploits stylis’s scope handling, where :not(&) escape...

CVE-2026-41272 Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers secureAxiosRequest and secureFetch intended to prevent Server-Side Request Forgery SSRF contain multiple logic flaws. These flaws allow attackers to bypass the...

PT-2026-30900

Name of the Vulnerable Software and Affected Versions libssh affected versions not specified Description A flaw exists in libssh that allows local man-in-the-middle attacks, security downgrades of SSH Secure Shell connections, and manipulation of trusted host information. This poses a risk to the...

CVE-2026-20115

A vulnerability in Cisco IOS XE Software for Cisco Meraki could allow a remote, unauthenticated attacker to view confidential device information. This vulnerability is due to a device configuration upload being performed over an insecure tunnel. An attacker could exploit this vulnerability by...

GHSA-8JMM-3XWX-W974 Alist has Insecure TLS Config

Summary The application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle MitM attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations,...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to insufficient authentication checks in the client and server processes. An attacker can gain unauthorized access to sensitive data by establishing a connection without proper certificate validation or...

CVE-2017-17867

Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd configuration to specify an arbitrary program, as demonstrated by a program located on an SMB share. This issue existed because the...

Plixer Scrutinizer NetFlow and sFlow Analyzer 9 - Default MySQL Credential (Metasploit)

This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. http://metasploit.com/framework/ require 'msf/core' class Metasploit3 "Plixer Scrutinize...

[SECURITY] [DSA 1758-1] New nss-ldapd packages fix information disclosure

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1758-1 [email protected] http://www.debian.org/security/ Moritz Muehlenhoff March 30, 2009 http://www.debian.org/security/faq -...

CVE-2007-6723

TorK before 0.22, when running on Windows and Mac OS X, installs Privoxy with a configuration file config.txt or config that contains insecure 1 enable-remote-toggle and 2 enable-edit-actions settings, which allows remote attackers to bypass intended access restrictions and modify configuration...