Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes

Summary IsPublicIP in pkg/gotenberg/outbound.go incorrectly classifies IPv6 6to4 / NAT64 / deprecated site-local addresses as public IPs, allowing an unauthenticated attacker to reach internal destinations e.g., cloud metadata services at 169.254.169.254 via a single crafted DNS AAAA record. This...

CVE-2026-47269

CVE-2026-47269 affects pam_usb on Linux. The deny_remote feature checks utmpx ut_addr_v6[0] to identify remote sessions, but IPv4-mapped IPv6 addresses cause the check to fail (ut_addr_v6[0] == 0, while the IPv4 address is in ut_addr_v6[3]), so remote SSH connections can be treated as local. As a...

CVE-2026-42184

Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri's islocalurl function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to...

Tauri 安全漏洞

Tauri is an open-source project developed by Tauri developers, aimed at creating smaller, faster, and more secure desktop applications using web frontends. Versions of Tauri from 2.0 to 2.11.0 contain security vulnerabilities. These vulnerabilities stem from the islocalurl function, which...

Important: php8.5

Issue Overview: uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes. CVE-2026-42371 In uriparser before 1.0.2, there is pointer difference truncation to int in various places. CVE-2026-44927 In uriparser before 1.0.2, t...

Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files

Summary The FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treatin...

PT-2026-41687

Summary The FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treatin...

EUVD-2026-29467

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No...

CVE-2026-44993 OpenClaw < 2026.4.20 - Direct Message Misclassification in Feishu Card Actions

OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been...

CVE-2026-44928

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal...

CVE-2026-44928

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal...

Linux Distros Unpatched Vulnerability : CVE-2026-44928

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal. CVE-2026-44928 Note that Nessus relies on the presence of th...

CVE-2026-41403

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic,...

EUVD-2026-26110

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic,...

CVE-2026-41403 OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic,...

CVE-2026-41403 OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic,...

CVE-2026-41403

OpenClaw npm package (= 2026.3.31 to remediate. For context, CVSS metrics from Vulners indicate both low (local) and medium (network) impact vectors, but official exploitation status is not described in the connected documents.

OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped dmPolicy enforcement for card actions, so a...

GHSA-72Q8-JCMC-97WX OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped dmPolicy enforcement for card actions, so a...

CVE-2026-41341 OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension

OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement o...