Lucene search
K

2333 matches found

Snyk
Snyk
added 2026/06/15 7:59 p.m.8 views

Trust Boundary Violation

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Trust Boundary Violation through the mutation of data.allowedTags or data.allowedAttributes in hooks, which directly alters the global default sets used for...

6.1CVSS5.4AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 7:59 p.m.39 views

DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`

Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULTALLOWEDTAGS / DEFAULTALLOWEDATTR CWE: CWE-501 Trust Boundary Violation — hook-scoped mutation leaks to global default sets via CWE-693 Protection Mechanism Failure — the default allow-list is silently widened f...

5.6AI score
Exploits0References2Affected Software1
GithubExploit
GithubExploit
added 2026/06/13 7:10 a.m.95 views

Exploit for CVE-2026-41490

CVE-2026-41490 — SQL Injection in Dagster database I/O manager...

8.3CVSS6.2AI score0.00265EPSS
Exploits1
EUVD
EUVD
added 2026/06/13 12:34 a.m.9 views

EUVD-2026-36626

OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...

9.8CVSS5.2AI score0.00221EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 10:16 p.m.10 views

CVE-2026-53838

OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...

9.8CVSS0.00221EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:57 p.m.7 views

CVE-2026-53838 OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection

OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...

9.8CVSS5.2AI score0.00221EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:57 p.m.33 views

CVE-2026-53838

OpenClaw is affected by a state mutation vulnerability in node pairing reconnection prior to version 2026.5.27. The issue lets paired nodes confuse approval scope decisions by manipulating reconnection logic, potentially restoring or presenting broader node authority than intended and bypassing a...

9.8CVSS5.3AI score0.00221EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/12 9:57 p.m.30 views

CVE-2026-53838 OpenClaw < 2026.5.27 - Node Pairing State Mutation via Reconnection

OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval...

9.8CVSS0.00221EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.27 views

CVE-2026-53833 QQBot for OpenClaw < 2026.4.29 - Authorization Bypass via QQBot Streaming Command

OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching t...

7.7CVSS0.00172EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/12 6:28 p.m.9 views

Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema

The webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding...

7.5CVSS5.2AI score0.00224EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/12 6:28 p.m.6 views

GHSA-QHV3-WJG8-6FX6 Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema

The webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding...

7.5CVSS5.3AI score0.00224EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.10 views

PT-2026-49037

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.29 Description An authorization bypass exists in the QQBot streaming command. This issue allows authenticated senders to modify configuration settings without explicit allowFrom restrictions. Attackers can...

7.7CVSS5.2AI score0.00172EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.12 views

PT-2026-49042

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.27 Description A state mutation issue exists in the node pairing reconnection process. This allows paired nodes to confuse approval scope decisions, enabling attackers to exploit reconnection logic to restore ...

9.8CVSS5.2AI score0.00221EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 2:50 a.m.10 views

Malicious code in express-self-destruct (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817 On npm install, the package's postinstall hook node scripts/inject.js walks up from the install directory to locate the consumer's project root and...

5.7AI score
Exploits0References1
OSV
OSV
added 2026/06/11 2:50 a.m.10 views

MAL-2026-5553 Malicious code in express-self-destruct (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817 On npm install, the package's postinstall hook node scripts/inject.js walks up from the install directory to locate the consumer's project root and...

5.7AI score
Exploits0References1
NVD
NVD
added 2026/06/06 4:16 p.m.12 views

CVE-2026-11436

A vulnerability was detected in Mage AI up to 0.9.79. This impacts the function useMutation of the file mageai/frontend/components/Sessions/SignForm/index.tsx of the component Sign-in Flow. Performing a manipulation of the argument query.redirecturl results in cross site scripting. Remote...

5.3CVSS0.00263EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/06 3:45 p.m.6 views

CVE-2026-11436

A vulnerability was detected in Mage AI up to 0.9.79. This impacts the function useMutation of the file mageai/frontend/components/Sessions/SignForm/index.tsx of the component Sign-in Flow. Performing a manipulation of the argument query.redirecturl results in cross site scripting. Remote...

5.3CVSS4AI score0.00263EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/06 3:45 p.m.37 views

CVE-2026-11436 Mage AI Sign-in Flow index.tsx useMutation cross site scripting

A vulnerability was detected in Mage AI up to 0.9.79. This impacts the function useMutation of the file mageai/frontend/components/Sessions/SignForm/index.tsx of the component Sign-in Flow. Performing a manipulation of the argument query.redirecturl results in cross site scripting. Remote...

5.3CVSS0.00263EPSS
Exploits0References5
CVE
CVE
added 2026/06/06 3:45 p.m.26 views

CVE-2026-11436

Mage AI up to version 0.9.79 is affected in the Sign-in Flow. The vulnerability is in the useMutation function within mage_ai/frontend/components/Sessions/SignForm/index.tsx, where manipulating the query.redirect_url argument triggers cross site scripting. Remote exploitation is possible, and the...

5.3CVSS4.1AI score0.00263EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.8 views

CVE-2026-41185

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map stdinData at INFO level to...

6.5CVSS5.5AI score0.00323EPSS
Exploits0References1
Rows per page
Query Builder