252644 matches found
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
Summary Device-Paired Node Skips Node Scope Gate → Host RCE.md Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real in shipped v2026.3.28 because a merely device-paired node could expose node commands without node pairing, but high is sufficient given the...
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...
Improper Isolation or Compartmentalization
Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the nodeIntegrationInWorker configuration in shared renderer...
Improper Isolation or Compartmentalization
Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the nodeIntegrationInWorker configuration in...
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Impact The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable...
PT-2026-30005
Impact The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable...
PT-2026-30013
Name of the Vulnerable Software and Affected Versions Antrea versions prior to 2.4.5 and 2.5.2 Description Antrea, a Kubernetes networking solution, has a missing encryption issue affecting inter-Node Pod traffic. In dual-stack networking clusters with IPsec encryption enabled...
Antrea has Missing Encryption of Sensitive Data
This is a missing encryption vulnerability CWE-311 affecting inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled trafficEncryptionMode: ipsec, Antrea fails to apply encryption for IPv6 Pod traffic. While the IPv4 traffic is correctly...
Linux kernel 安全漏洞
The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the fact that the device node reference is not released properly within the logicvcdrmconfigparse...
PT-2026-30040
In the Linux kernel, the following vulnerability has been resolved: drm/logicvc: Fix device node reference leak in logicvc drm config parse The logicvc drm config parse function calls of get child by name to find the "layers" node but fails to release the reference, leading to a device node...
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads
A packaging error in Anthropic’s Claude Code npm release briefly exposed internal source code. This entry examines how threat actors rapidly weaponized the resulting attention, pivoting an existing AI-themed campaign to spread Vidar and GhostSocks...
GHSA-MHGQ-XPFQ-6R66 OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITESCOPE, but impact should stay limited to plugin routes that actually tou...
CVE-2026-34825
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who...
Arbitrary Code Injection
Overview dbgate-web is a This package is used internally by DbGate Affected versions of this package are vulnerable to Arbitrary Code Injection through the FontIcon rendering path in packages/web/src/icons/FontIcon.svelte. An attacker can execute arbitrary JavaScript in a victim’s browser, or...
CVE-2026-34825
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who...
CVE-2026-34825
Summary (CVE-2026-34825) NocoBase’s plugin-workflow-sql component (pre-2.0.30) builds SQL by substituting template variables directly into raw SQL strings via getParsedValue(), with no parameterization or escaping. An attacker who triggers a workflow containing a SQL node using user-controlled da...
CVE-2026-34825 NocoBase Has SQL Injection via template variable substitution in workflow SQL node
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who...
GO-2026-4894 Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel
Flannel has cross-node remote code execution via extension backend BackendData injection in github.com/flannel-io/flannel...
Axios npm Supply Chain Incident Impacting @usebruno/cli
Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...
Malicious code in expreeeess (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f655863438463b445574f12a5195c9635704e2158556ae437ee3a71c2e083d6b The package expreeeess was found to contain malicious code. Source: ossf-package-analysis...