Lucene search
K

32960 matches found

Github Security Blog
Github Security Blog
β€’added 2026/03/03 7:46 p.m.β€’3 views

OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text

Summary In openclaw up to and including 2026.2.23 latest npm release as of February 25, 2026, system.run shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime. Affected Packages / Versions - Package: opencl...

9.8CVSS6.1AI score0.00911EPSS
Exploits0References6Affected Software1
SUSE Linux
SUSE Linux
β€’added 2026/03/03 3:51 p.m.β€’16 views

Security update for go1.24-openssl

This update for go1.24-openssl fixes the following issues: Update to version 1.24.13 jscSLE-18320, bsc1236217. Security issues fixed: CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. CVE-2025-68119: cmd/go: unexpected code execution...

9.6CVSS6.3AI score0.00765EPSS
Exploits1References16
OSV
OSV
β€’added 2026/03/03 3:51 p.m.β€’5 views

SUSE-SU-2026:0789-1 Security update for go1.24-openssl

This update for go1.24-openssl fixes the following issues: Update to version 1.24.13 jscSLE-18320, bsc1236217. Security issues fixed: - CVE-2025-61732: cmd/cgo: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. - CVE-2025-68119: cmd/go: unexpected code...

10CVSS6.4AI score0.00765EPSS
Exploits1References8
GithubExploit
GithubExploit
β€’added 2026/03/03 12:45 p.m.β€’225 views

Exploit for Code Injection in Anthropic Claude_Code

CVE-PENDING: MCP Tool Confirmation Prompt Misrepresentation in...

8.8CVSS6.2AI score0.30227EPSS
Exploits6
SUSE Linux
SUSE Linux
β€’added 2026/03/03 12:38 p.m.β€’3 views

Security update for go1.25-openssl

This update for go1.25-openssl fixes the following issues: Update to version 1.25.7. Security issues fixed: CVE-2025-61732: cmd/go: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated...

9.6CVSS6AI score0.00765EPSS
Exploits1References10
OSV
OSV
β€’added 2026/03/03 12:38 p.m.β€’4 views

SUSE-SU-2026:0760-1 Security update for go1.25-openssl

This update for go1.25-openssl fixes the following issues: Update to version 1.25.7. Security issues fixed: - CVE-2025-61732: cmd/go: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated...

10CVSS6AI score0.00765EPSS
Exploits1References5
Github Security Blog
Github Security Blog
β€’added 2026/03/03 12:41 a.m.β€’10 views

OpenClaw: macOS optional allowlist basename matching could bypass path-based policy

Summary On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries for example echo as trusted command matches. This could allow a same-name local binary for example ./echo to run without approval under security=allowlist + ask=on-miss. Scope / Precondition...

7.8CVSS5.9AI score0.00122EPSS
Exploits0References5Affected Software1
OSV
OSV
β€’added 2026/03/03 12:41 a.m.β€’3 views

GHSA-7F4Q-9RQH-X36P OpenClaw: macOS optional allowlist basename matching could bypass path-based policy

Summary On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries for example echo as trusted command matches. This could allow a same-name local binary for example ./echo to run without approval under security=allowlist + ask=on-miss. Scope / Precondition...

7.8CVSS5.9AI score0.00122EPSS
Exploits0References5
Snyk
Snyk
β€’added 2026/03/03 12:39 a.m.β€’2 views

Insertion of Sensitive Information Into Sent Data

Overview openclaw is a 🦞 OpenClaw β€” Personal AI Assistant Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the OAuth onboarding process in the macOS beta application, where the PKCE codeverifier was exposed as the OAuth state in the URL. An...

5.1CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
β€’added 2026/03/03 12:39 a.m.β€’6 views

OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state

Summary The affected surface is the OpenClaw macOS app onboarding flow, and the macOS app is currently in beta. In that beta onboarding flow, Anthropic OAuth used the PKCE codeverifier value as OAuth state, exposing that secret in front-channel URL state. Affected Packages / Versions - Package:...

5.9AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
β€’added 2026/03/03 12:0 a.m.β€’4 views

PT-2026-26010

Summary In OpenClaw's macOS node-host path, system.run allowlist parsing in security=allowlist mode failed to reject command substitution tokens when they appeared inside double-quoted shell text. Because of that gap, payloads like echo "ok $id" could be treated as allowlist hits first executable...

7.5CVSS6AI score0.0063EPSS
Exploits1References9
Google Chrome Security Advisories
Google Chrome Security Advisories
β€’added 2026/03/03 12:0 a.m.β€’10 views

Stable Channel Update for Desktop

The Stable channel has been updated to 145.0.7632.159/160 for Windows/Mac and 145.0.7632.159 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log Security Fixes and Rewards Note: Access to bug details and links may be kept...

9.6CVSS8.4AI score0.00497EPSS
Exploits0Affected Software1
VulnCheck KEV
VulnCheck KEV
β€’added 2026/03/03 12:0 a.m.β€’4 views

VulnCheck KEV: CVE-2023-43000

A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption...

8.8CVSS5.8AI score0.03901EPSS
In wildExploits1References3
Positive Technologies
Positive Technologies
β€’added 2026/03/03 12:0 a.m.β€’6 views

PT-2026-26397

Summary On macOS node-host, optional exec-approval allowlist mode previously treated basename-only entries for example echo as trusted command matches. This could allow a same-name local binary for example ./echo to run without approval under security=allowlist + ask=on-miss. Scope / Precondition...

7.3CVSS5.8AI score0.00122EPSS
Exploits0References7
OSV
OSV
β€’added 2026/03/02 10:17 p.m.β€’3 views

GHSA-5F9P-F3W2-FWCH OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

Summary In the macOS companion app currently beta, a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings. Impact This path requires all of the following: - authenticated caller with operator.write - paired macOS beta node...

2.3CVSS6AI score0.00291EPSS
Exploits0References6
Snyk
Snyk
β€’added 2026/03/02 10:17 p.m.β€’4 views

Improper Authorization

Overview openclaw is a 🦞 OpenClaw β€” Personal AI Assistant Affected versions of this package are vulnerable to Improper Authorization in the system.run due to a parsing mismatch in allowlist checks for shell-chain payloads. An attacker can execute unauthorized shell commands on a paired macOS host...

6.4CVSS6AI score0.00291EPSS
Exploits0References3
Github Security Blog
Github Security Blog
β€’added 2026/03/02 10:17 p.m.β€’13 views

OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

Summary In the macOS companion app currently beta, a parsing mismatch in exec approvals could let shell-chain payloads pass allowlist checks in system.run under specific settings. Impact This path requires all of the following: - authenticated caller with operator.write - paired macOS beta node...

6.4CVSS6AI score0.00291EPSS
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
β€’added 2026/03/02 3:46 p.m.β€’4 views

CVE-2026-28412

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server imposes no limit on concurrent connections. Combined with a broadcast timer that sends state to all connected clients every 100 ms, an attacker can exhaust CPU and memory by flooding the server...

7.5CVSS6AI score0.00255EPSS
Exploits1References3Affected Software1
EUVD
EUVD
β€’added 2026/03/02 3:45 p.m.β€’6 views

EUVD-2026-9200

Textream is a free macOS teleprompter app. Prior to version 1.5.1, the DirectorServer WebSocket server ws://127.0.0.1: accepts connections from any origin without validating the HTTP Origin header during the WebSocket handshake. A malicious web page visited in the same browser session can silentl...

7.6CVSS6AI score0.00136EPSS
Exploits1References2
CNVD
CNVD
β€’added 2026/03/02 12:0 a.m.β€’3 views

Denial of Service Vulnerability in Multiple Apple Products (CNVD-2026-14274)

Apple iOS is an operating system developed for mobile devices.Apple macOS is a specialized operating system developed for Mac computers.Apple iPadOS is an operating system for iPad tablets. A denial-of-service vulnerability exists in several Apple products, which can be exploited by attackers to...

5.7CVSS5.8AI score0.00258EPSS
Exploits0References1
Rows per page
Query Builder