11 matches found
golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the...
golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the...
golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the...
ALSA-2026:36199 Important: buildah security update
The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a...
golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions
A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the...
CVE-2026-7817 pgAdmin 4: Local file inclusion and server-side request forgery in LLM API configuration endpoints
Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...
CVE-2026-35636
OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where sessionstatus resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked...
8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services
The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...
Prototype Pollution
@byondreal/accessor is vulnerable to Prototype Pollution. The vulnerability is due to improper key restrictions to prevent object prototype manipulation, which allows an attacker to overwrite the object prototype which can result in remote code execution among other attacks...
Improper Access Control in causefx/organizr
✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️♂️ Proof of Concept Visit the following link to verify that you can use the service...
TOCTOU with NT System Service Hooking
TOCTOU Time-Of-Check-to-Time-Of-Use problem is known for a while 1. Nevertheless such bugs are still not uncommon. That is more or less acceptable for general software but not for security products. I believe there are drivers that hook kernel system services by well known technique 2,3,4. Those...