OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.5.18 contained security vulnerabilities. These vulnerabilities stemmed from a range-bypass vulnerability in the Gateway chat.send route, allowing clients with restricted ranges to...

MAL-2026-4649 Malicious code in promptbook-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1223e123a8bd5b550647d800b438b2c5a78f3e10c9d1ab7a6a7cdbd8be465b90 dist/api.js contains a hardcoded URL https://promts.newtechcompany.ru referenced alongside process.env reads and a fetch call at line 44. The package...

GHSA-FHH6-4QXV-RPQJ 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

Summary 9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with zero prerequisites and no credentials required. The vulnerability exists because the Next.js...

@squawk/mcp (>=0.2.0 <=0.9.0) potentially affected by unknown CVE via @squawk/flight-math (=0.5.3)

@squawk/flight-math NPM version =0.5.3 is affected by a known vulnerability. The following packages have a transitive dependency on @squawk/flight-math and may be impacted: - @squawk/mcp =0.2.0, =0.9.0 Source cves: unknown CVE Source advisory: SNYK:JS-SQUAWKFLIGHTMATH-16640879...

CVE-2026-5382

An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N 3.0 Low. This issue was fixed in...

CVE-2026-5374 runZero Platform MCP information leak

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...

(0Day) Microsoft Azure MCP AzureCliService Command Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Azure. Authentication is not required to exploit this vulnerability. The specific flaw exists within the azure-cli-mcp component. The issue results from the lack of proper validation of a...

EUVD-2025-208759

FastMCP OAuth Proxy token reuse across MCP servers...

EUVD-2018-4029

Malware in sbrugna...

EUVD-2005-4520

Malware in sbrugna...

PT-2025-40609

Name of the Vulnerable Software and Affected Versions win-cli-mcp-server affected versions not specified Description The software contains a command injection flaw within the resolveCommandPath function. This allows for remote code execution. The issue was discovered by Peter Girnus of Trend...

CVE-2024-39911 1Panel SQL injection

1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This issue has been addressed in version 1.10.12-lts. Users are advised to upgrade. There are no known workarounds for this vulnerability...

PT-2024-26521 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7.114 Description: The issue is related to an arbitrary file upload vulnerability in the /dede/file manage control.php file. This vulnerability allows attackers to execute arbitrary code by uploading a crafted file...

DedeBIZ Code Execution Vulnerability

DedeBIZ is a content management system from China Muyun Intelligent Technology DedeBIZ company. A code execution vulnerability exists in DedeBIZ version v6.2.11, which stems from the $activepath and $filename parameters in /admin/filemanagecontrol.php failing to correctly filter the special...

DedeCMS 安全漏洞

Desdev DedeCMS Dream Weaving Content Management System is a PHP-based open-source content management system CMS of China Zhuozhuo network Desdev company. The system has content publishing, content management, content editing and content retrieval functions. A security vulnerability exists in...

Desdev DedeCMS 代码问题漏洞

Desdev DedeCMS Dream Weaving Content Management System is a PHP-based open-source content management system CMS of China Zhuozhuo network Desdev company. The system has content publishing, content management, content editing and content retrieval functions. DedeCMS V5.7.99 version of a security...

CVE-2021-41744

All versions of yongyou PLM are affected by a command injection issue. UFIDA PLM Product Life Cycle Management is a strategic management method. It applies a series of enterprise application systems to support the entire process from conceptual design to the end of product life, and the...

IBM Security Access Manager path traversal vulnerability

IBM Security Access Manager is a product of IBM Corporation for information security management. The product enables access management control through integrated Web-, mobile-, and cloud-oriented devices.IBM Security Access Manager Docker is vulnerable to a path traversal vulnerability that...

How to use Struts2 vulnerabilities to bypass firewall get Root permissions-bug warning-the black bar safety net

This article I want to share is about the Apache struts2 CVE-2013–2251 vulnerability, since the vulnerability can lead to remote code execution, had once been widely abused. The vulnerability principle is that, by manipulating the prefix“action:”/”redirect:”/”redirectAction:”parameter in the Stru...

CVE-2018-9134

filemanagecontrol.php in DedeCMS 5.7 has CSRF in an fmdo=rename action, as demonstrated by renaming an arbitrary file under uploads/userup to a .php file under the web root to achieve PHP code execution. This uses the oldfilename and newfilename parameters...