GHSA-JQPQ-MGVM-F9R6 OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)

Command hijacking via PATH handling Discovered: 2026-02-04 Reporter: @akhmittra Summary OpenClaw previously accepted untrusted PATH sources in limited situations. In affected versions, this could cause OpenClaw to resolve and execute an unintended binary "command hijacking" when running host...

0xgasless-mcp (>=1.0.3 <=1.0.5), 4d-vector-search (>=1.0.0 <=1.0.1) +2226 more potentially affected by CVE-2026-25528 via langsmith (>=0.3.7 <=0.4.12)

langsmith NPM version =0.3.7, =1.0.3, =1.0.0, =1.11.0, =0.0.5, =0.0.1, =1.0.0, =0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939, =0.0.65, =1.0.6, =0.0.1, =1.0.0, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2026-25528 Source advisory: SNYK:JS-LANGSMITH-15253025...

MAL-2025-26807 Malicious code in mp3-file-zip-d-ownload-37823-billys-live-bait-gqddl-gymxld (npm)

The package mp3-file-zip-d-ownload-37823-billys-live-bait-gqddl-gymxld was found to contain malicious code...

Malicious code in less-loader-spectron-exoplanetology-phenomic (npm)

The package less-loader-spectron-exoplanetology-phenomic was found to contain malicious code...

ECDSA signature vulnerability of Minerva timing attack in jsrsasign

Impact ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign. Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits ...

Fedora 30 : nodejs-handlebars (2019-c1213f866c)

Security fix for https://www.npmjs.com/advisories/755 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional...