223 matches found
EUVD-2026-26133
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invokebrowser.proxy that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.8 contained security vulnerabilities. These vulnerabilities stemmed from a security bypass issue in node.invokebrowser.proxy, which allowed modification of persistent browser...
CVE-2018-25270
ThinkPHP 5.0.23 remote code execution via invokefunction: unauthenticated attackers can craft requests to index.php with malicious function parameters to execute arbitrary PHP code with application privileges. Impacted component is ThinkPHP 5.0.23 routing invokefunction pathway. CVSS metrics in t...
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
Summary Microsoft Teams SSO invoke handler missed sender authorization checks. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 = 2026.4.14 Impact Microsoft Teams SSO signin invoke handling could process an invoke from a sender before applying the...
GHSA-GC9R-867R-J85F OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
Summary Microsoft Teams SSO invoke handler missed sender authorization checks. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 = 2026.4.14 Impact Microsoft Teams SSO signin invoke handling could process an invoke from a sender before applying the...
CVE-2026-35654 OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or...
EUVD-2026-21454
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or...
CVE-2026-35654
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or...
CVE-2026-35654 OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the node.invoke process. An attacker can alter persistent browser profiles by invoking browser.proxy to bypass the intended profile-mutation guard. Remediation...
GHSA-CMFR-9M2R-XWHQ OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
Impact OpenClaw node.invokebrowser.proxy bypasses browser.request persistent profile-mutation guard. node.invokebrowser.proxy could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to...
CVE-2026-39363
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...
CVE-2026-39363
CVE-2026-39363 affects Vite Dev Server. The WebSocket-based fetchModule RPC can be invoked without an Origin header, bypassing HTTP path access checks and enabling arbitrary file reads via file:// URLs combined with ?raw or ?inline. This occurs in Vite versions 6.0.0 up to before 6.4.2, 7.3.2, an...
CVE-2026-39363 Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, if it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?r...
PT-2026-28572
Name of the Vulnerable Software and Affected Versions Handlebars versions 4.0.0 through 4.7.8 Description Handlebars allows users to build semantic templates. A crafted object placed in the template context can bypass conditional guards in the resolvePartial function, causing invokePartial to...
OSV-2026-437 Heap-use-after-free in tf::Executor::_invoke
OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=494709474 Crash type: Heap-use-after-free WRITE 8 Crash state: tf::Executor::invoke tf::Executor::spawn void std::1::threadproxy...
CVE-2026-4564 yangzongzhuan RuoYi Quartz Job job code injection
A security vulnerability has been detected in yangzongzhuan RuoYi up to 4.8.2. This issue affects some unknown processing of the file /monitor/job/ of the component Quartz Job Handler. Such manipulation of the argument invokeTarget leads to code injection. It is possible to launch the attack...
CVE-2026-28466
OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject...
CVE-2026-28466
OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject...
CVE-2026-28466
OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject...