126717 matches found
📄 Langflow 1.8.1 Remote Code Execution
This Python script is a multi-threaded tool targeting a suspected vulnerability in Langflow versions 1.8.1 and below that allows unauthenticated remote code execution through unsafe execution of CustomComponent code during flow compilation...
SUSE CVE-2026-33936
The ecdsa PyPI package is a pure Python implementation of ECC Elliptic Curve Cryptography with support for ECDSA Elliptic Curve Digital Signature Algorithm, EdDSA Edwards-curve Digital Signature Algorithm and ECDH Elliptic Curve Diffie-Hellman. Prior to version 0.19.2, an issue in the low-level D...
ANT-2026-6DSMTXZ8 · mastodon · SSRF
ssrf high GHSA-crr4-7rm4-8gpw Severity Claude high · Security research firm high · Maintainer unknown Discovered by Claude Mythos Preview REPORT Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Doyensec. ANT-2026-6DSMTXZ8: SSRF Bypass via IPv6 Unspecified...
ANT-2026-P2DWB2SK · mastodon · Signature-bypass
signature-bypass high GHSA-chgx-jx3p-rf73 Severity Claude high · Security research firm high · Maintainer unknown Discovered by Claude Mythos Preview REPORT Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Doyensec. ANT-2026-P2DWB2SK: LD-Signature bypass via...
Security Bulletin: Incorrect administrative access control in IBM DataPower Gateway
Summary This issue allowed valid administrative users to see services within domains to which they should have had no access. Vulnerability Details CVEID:CVE-2025-36373 DESCRIPTION: IBM DataPower Gateway could disclose sensitive system information from other domains to an administrative user...
Security Bulletin: Multiple Vulnerabilities in IBM API Connect
Summary Multiple vulnerabilities were addressed in IBM API Connect version v12.1.0.2 Vulnerability Details CVEID:CVE-2012-6708 DESCRIPTION: jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not differentiate selectors from HTML in a reliable...
GHSA-955R-262C-33JC Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2
Summary On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the telnyx Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline...
Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2
Summary On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the telnyx Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline...
GHSA-W6M8-CQVJ-PG5V OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)
Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS Slow-Body / Slowloris Variant Description: Summary The patch for CVE-2026-32011 tightened pre-auth body parsing limits from 1MB/30s to...
OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)
Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS Slow-Body / Slowloris Variant Description: Summary The patch for CVE-2026-32011 tightened pre-auth body parsing limits from 1MB/30s to...
OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)
Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Sandbox Media Root Bypass via Unnormalized mediaUrl / fileUrl Parameter Keys CWE-22 Description: Summary A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary...
GHSA-HR5V-J9H9-XJHG OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)
Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Sandbox Media Root Bypass via Unnormalized mediaUrl / fileUrl Parameter Keys CWE-22 Description: Summary A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary...
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`
Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in !stop Chat Command via shell-utils.ts Description: Summary The !stop and /bash stop chat command kills background bash processes using SIGKILL directly,...
GHSA-3298-56P6-RPW2 OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`
Fixed in OpenClaw 2026.3.24, the current shipping release. Advisory Details Title: Incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in !stop Chat Command via shell-utils.ts Description: Summary The !stop and /bash stop chat command kills background bash processes using SIGKILL directly,...
GHSA-Q6JJ-R49P-94FH AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Summary The getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the CustomizeUser::getModeYouTu...
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification
Summary The getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal web playback flow enforces password checks via the CustomizeUser::getModeYouTu...
Security Bulletin: IBM DataPower Gateway vulnerable to CSRF
Summary IBM DataPower Gateway is affected by a cross-site request forgery vulnerability Vulnerability Details CVEID:CVE-2025-36375 DESCRIPTION: IBM DataPower Gateway is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted...
Security Bulletin: IBM DataPower Gateway vulnerable to Denial of Service due to body-parser
Summary The affected package is used in the UI Vulnerability Details CVEID:CVE-2025-13466 DESCRIPTION: body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands o...
Security Bulletin: IBM Maximo Application Suite - Manage Component uses ajv-6.12.6 in multiple applications which is vulnerable CVE-2025-69873
Summary IBM Maximo Application Suite - Manage Component uses ajv-6.12.6 in multiple applications which is vulnerable CVE-2025-69873 Vulnerability Details CVEID:CVE-2025-69873 DESCRIPTION: ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS...
Security Bulletin: Location Service for ESRI Component uses cryptography-46.0.3, flask-3.1.2 and werkzeug-3.1.5 library which were vulnerable to CVE-2026-26007, CVE-2026-27205 and CVE-2026-27199 respectively
Summary Location Service for ESRI Component uses cryptography-46.0.3, flask-3.1.2 and werkzeug-3.1.5 library which were vulnerable to CVE-2026-26007, CVE-2026-27205 and CVE-2026-27199 respectively. Vulnerability Details CVEID:CVE-2026-27199 DESCRIPTION: Werkzeug is a comprehensive WSGI web...