CVE-2026-32920 OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins

OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run...

Double Free

Overview Affected versions of this package are vulnerable to Double Free via the stbiloadgifmain function. An attacker can cause memory corruption or execute arbitrary code by providing a specially crafted multi-frame GIF file that triggers a double free condition. Remediation There is no fixed...

CVE-2026-5186

A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbiloadgifmain of the file stbimage.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made available to the public and...

CVE-2026-34070

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an...

CVE-2026-34070 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an...

CVE-2026-34070

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an...

PT-2026-29374

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version http://localhost:8080/system/status allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External...

PT-2026-29228

OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run...

FreeScout 安全漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout prior to 1.8.211 contained security vulnerabilities, which were due to unvalidated host header operations, potentially leading to external...

LangChain 安全漏洞

LangChain is an open-source framework developed by LangChain for creating applications powered by large language models LLMs. Versions of LangChain prior to 1.2.22 contained security vulnerabilities. These vulnerabilities stemmed from multiple functions in langchaincore.promptsloading that read...

📄 Google Keras 3.13.0 Denial of Service

A denial of service vulnerability exists in the HDF5 weight loading component of Google Keras versions 3.0.0 through 3.13.0 on all platforms. The vulnerability is caused by the absence of any validation or throttling when processing HDF5 dataset shape metadata declared inside a .keras archive...

VulnCheck KEV: CVE-2025-32355

Rocket TRUfusion Enterprise through 7.10.4.0 uses a reverse proxy to handle incoming connections. However, the proxy is misconfigured in a way that allows specifying absolute URLs in the HTTP request line, causing the proxy to load the given resource...

ClearanceKit 安全漏洞

ClearanceKit is a macOS file system access control tool developed by Craig J. Bass. Versions of ClearanceKit prior to 4.2.14 contained security vulnerabilities. These vulnerabilities were caused by startup defects that led to incomplete loading of access policies, potentially resulting in imprope...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. A security vulnerability exists in OpenClaw that stems from automatically discovering and loading plugins from .OpenClaw/extensions/ without explicit trust validation, which can be exploited by an attacker to cause arbitrar...

CrewAI 安全漏洞

CrewAI is an open-source code execution and analysis tool component developed by CrewAI. CrewAI has a security vulnerability, which stems from a lack of path validation in the JSON loading mechanism, potentially allowing arbitrary local file reading...

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

Summary Multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to loadprompt or loadpromptfromconfig...

CVE-2021-27375

Traefik before 2.4.5 allows the loading of IFRAME elements from other domains...

PT-2026-28599

Name of the Vulnerable Software and Affected Versions LangChain-core versions prior to 1.2.22 Description LangChain is a framework used for building applications powered by language models. Multiple functions within langchain core.prompts.loading do not properly validate file paths when reading...

CVE-2026-2430

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the addlazyload function that replaces all occurrences of \ssr...

CVE-2025-33247

NVIDIA Megatron LM contains a vulnerability in quantization configuration loading, which could allow remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering...