CVE-2026-35402

creationtimestamp| type| source ---|---|--- 2026-04-17 22:26:27+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjpxscq4l32f...

GHSA-2767-2Q9V-9326 OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes

Summary QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.12 Impact QQBot reply media URLs could be treated as trusted media sources, allowing SSRF fetches whose returned...

GHSA-4C3Q-X735-J3R5 Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing

Executive Summary This report documents a critical security research finding in the compressing npm package specifically tested on the latest v2.1.0. The core vulnerability is a Partial Fix Bypass of CVE-2026-24884. The current patch relies on a purely logical string validation within the...

CVE-2026-33516

creationtimestamp| type| source ---|---|--- 2026-04-17 21:23:11+00:00| published-proof-of-concept| Telegram/GxkwnkIopWEGLbC11BdcbbYVRqOADIf4t7f5VnXFMKG7Kn8 2026-04-24 11:15:46+00:00| seen| https://bsky.app/profile/keiwork35.bsky.social/post/3mkaflhxcmk22...

CVE-2026-40303

creationtimestamp| type| source ---|---|--- 2026-04-17 21:18:09+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjpty6khsr2q 2026-04-17 22:57:51+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjpzki4xdn2f 2026-04-17 23:20:15+00:00| published-proof-of-concept|...

CVE-2026-28224

creationtimestamp| type| source ---|---|--- 2026-04-17 20:00:26+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjppn74kwq2i 2026-04-17 21:22:46+00:00| seen| Telegram/o-uTgZiWLI4DGr-3Qx2v6r5S9u58WJIjtqdTFR62kB0PIWs...

CVE-2026-6497

creationtimestamp| type| source ---|---|--- 2026-04-17 18:40:22+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjpl62mbf42r...

CVE-2025-65104

creationtimestamp| type| source ---|---|--- 2026-04-17 18:21:08+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjpk3nkxqq24 2026-04-17 21:22:32+00:00| seen| Telegram/1afGr9vW06Zk0J3YeUW4MdlUf8TA53EPyuLeVgpLZqfvxp8...

CVE-2026-21709

creationtimestamp| type| source ---|---|--- 2026-04-17 18:18:25+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjpjwspxx42t...

CVE-2026-40319

creationtimestamp| type| source ---|---|--- 2026-04-17 18:13:16+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjpjnljb6d2f...

CVE-2026-25917

creationtimestamp| type| source ---|---|--- 2026-04-17 16:51:48+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mjpf3wafbc24 2026-04-18 08:33:08+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjqzp5iqqn2f 2026-04-20 17:21:16+00:00| seen|...

CVE-2026-32690

creationtimestamp| type| source ---|---|--- 2026-04-17 16:27:28+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mjpdqg5ahr24 2026-04-18 08:18:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjqyu6svs32t...

EUVD-2026-22915

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...

EUVD-2026-22836

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting XSS due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check IsDangerousURL before resolving HTML entities...

GHSA-MH4X-RMRX-3HP4 Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...

EUVD-2026-22837

It has been identified that a vulnerability CWE-427 exists in the UPS Uninterruptible Power Supply management application, whereby improper permissions on the installation directory allow a malicious actor to place a DLL that is then executed with administrator privileges. If a malicious DLL is...

Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...

goldmark vulnerable to Cross-site Scripting (XSS)

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting XSS due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check IsDangerousURL before resolving HTML entities...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the authentication process. An attacker can gain unauthorized access to multiple authenticated...

CVE-2026-35073

creationtimestamp| type| source ---|---|--- 2026-04-17 14:07:05+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjp3vc4msi22...