CVE-2026-41180

Summary: PsiTransfer before 2.4.3 is vulnerable to a path traversal in the upload PATCH flow (/files/:uploadId). The attack can abuse a mounted request path vs the downstream tus handler’s decoded uploadId to cause an unauthenticated attacker to create a file named with a pattern like config..js ...

CVE-2026-41180 PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In...

GROWI 安全漏洞

GROWI is an enterprise-level open-source knowledge base/Wiki system built using Node.js and React by GROWI Inc. GROWI has a security vulnerability that stems from a susceptibility to regular expression denial-of-service attacks...

PT-2026-34733

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined wi...

PT-2026-34783

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation...

OpenClaw 安全漏洞

OpenClaw is a software platform for device pairing and node management, with key features including device authentication, node-wide gateway control, and remote command execution. OpenClaw suffers from a remote code execution vulnerability that stems from a device pairing node failing to properly...

Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Summary A command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync without proper sanitization, enabling remote code execution when the...

Malicious code in @spinstorm/shared (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e56e452f9b6929e66be95ebdf49d432e7bbfeb76fc349123bcc39175f412e802 The package @spinstorm/shared was found to contain malicious code. Source: ossf-package-analysis...

GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13074 more potentially affected by CVE-2026-41673 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41673 Source advisory: OSV:GHSA-2V35-W6HQ-6MFW...

08cms (=1.0.0), 0uth (>=1.0.5 <=1.2.1) +13074 more potentially affected by CVE-2026-41674 via xmldom (>=0.1.11 <=0.6.0)

xmldom NPM version =0.1.11, =1.0.5, =1.0.0, =1.0.0, =1.7.3, =0.1.0, =0.0.2, =0.0.1, =1.0.2, =1.0.3, =1.0.23, =1.0.1, =1.3.1 and more Source cves: CVE-2026-41674 Source advisory: OSV:GHSA-F6WW-3GGP-FR8H...

org.webjars.npm:adal-node (=0.1.28), org.webjars.npm:canvg (>=1.5.2 <=1.5.3) +14 more potentially affected by CVE-2026-41675 via org.webjars.npm:xmldom (>=0.1.31 <=0.6.0)

org.webjars.npm:xmldom MAVEN version =0.1.31, =1.5.2, =0.7.2, =0.14.0, =0.11.0, =7.14.0, =2.7.0, =2.9.2 and more Source cves: CVE-2026-41675 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16134553...

CVE-2026-34064

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

CVE-2026-34065

CVE-2026-34065 affects nimiq-primitives in Nimiq’s Rust implementation. Before version 1.3.0, an untrusted p2p peer could cause a node to panic by announcing an election macro block whose validators set includes an invalid compressed BLS voting key. Hashing the election macro header hashes the va...

CVE-2026-34065 nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

nimiq-primitives contains primitives e.g., block, account, transaction to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashi...

CVE-2026-34065 nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

nimiq-primitives contains primitives e.g., block, account, transaction to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashi...

CVE-2026-34063 network-libp2p: Peer can crash the node by opening discovery protocol substream twice

Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, network-libp2p discovery uses a libp2p ConnectionHandler state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer...

CVE-2026-34063

CVE-2026-34063 affects Nimiq’s network-libp2p prior to v1.3.0. The discovery mechanism assumes at most one inbound and one outbound substream per connection; if a remote peer opens the discovery protocol substream a second time, the libp2p ConnectionHandler may panic with “Inbound already connect...

nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

Impact An untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashing an election macro header hashes validators and reaches Validators::votingkeys, which calls validator.votingkey.uncompress.unwrap...