OpenClaw: Nostr profile mutation routes allowed operator.write config persistence

Summary Nostr profile mutation routes allowed operator.write config persistence. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin...

GHSA-5GJC-GRVM-M88J OpenClaw: Memory dreaming config persistence was reachable from operator.write commands

Summary Memory dreaming config persistence was reachable from operator.write commands. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 = 2026.4.10 Impact A write-scoped gateway path could toggle persistent memory dreaming settings through /dreamin...

OpenClaw: Memory dreaming config persistence was reachable from operator.write commands

Summary Memory dreaming config persistence was reachable from operator.write commands. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 = 2026.4.10 Impact A write-scoped gateway path could toggle persistent memory dreaming settings through /dreamin...

CVE-2026-40351 FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object e.g., "$ne": "" as the password field. This NoSQL...

CVE-2026-40351

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object e.g., "$ne": "" as the password field. This NoSQL...

EUVD-2026-23557

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object e.g., "$ne": "" as the password field. This NoSQL...

CVE-2026-35469 vulnerabilities

Vulnerabilities for packages: trivy, percona-server-mongodb-operator, eksctl, datadog-agent, linkerd2, kube-arangodb, postgres-operator, gitlab-runner, k3s, rancher, kwok, redis-operator, emissary, cri-tools, rancher-agent, juicefs-csi-driver, kpt, cloudnative-pg, aws-node-termination-handler,...

GHSA-PC3F-X583-G7J2 vulnerabilities

Vulnerabilities for packages: trivy, percona-server-mongodb-operator, eksctl, datadog-agent, linkerd2, kube-arangodb, postgres-operator, gitlab-runner, k3s, rancher, kwok, redis-operator, emissary, cri-tools, rancher-agent, juicefs-csi-driver, kpt, cloudnative-pg, aws-node-termination-handler,...

GHSA-PC3F-X583-G7J2 vulnerabilities

Vulnerabilities for packages: longhorn-cli, cluster-api, cri-tools, kubescape-server, rancher-agent, kube-arangodb-fips, trivy, trivy-fips, eksctl, k8ssandra-client-fips, postgres-operator-fips, redis-operator-fips, k8ssandra-client, percona-xtradb-cluster-operator, rancher-fleet-fips,...

PT-2026-33519

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object e.g., "$ne": "" as the password field. This NoSQL...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.6.0) +10169 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=6.0.0 <=6.2.17)

org.springframework:spring-webmvc MAVEN version =6.0.0, =0.2.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.8.7 and more Source cves: CVE-2026-22741 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-16109603...

Important: Red Hat Security Advisory: OpenShift Compliance Operator bug fix and enhancement update

An updated OpenShift Compliance Operator image that fixes various bugs and adds new enhancements is now available for the Red Hat OpenShift Enterprise 4 catalog. The OpenShift Compliance Operator v1.9.0 is now available. See the documentation for bug fix information:...

CLEANSTART-2026-RR42740 During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions

Multiple security vulnerabilities affect the gpu-operator package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details...

CLEANSTART-2026-VZ35122 filippo

Multiple security vulnerabilities affect the percona-xtradb-cluster-operator package. filippo. See references for individual vulnerability details...

CLEANSTART-2026-IY92636 During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succ...

Multiple security vulnerabilities affect the percona-xtradb-cluster-operator package. During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it...

Operator Precedence Logic Error

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADDTAGS over FORBIDTAGS in sanitizeElements. In an application where ADDTAG...

Operator Precedence Logic Error

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADDTAGS over FORBIDTAGS in sanitizeElements. In an...

CLEANSTART-2026-TZ92532 filippo

Multiple security vulnerabilities affect the percona-xtradb-cluster-operator-fips package. filippo. See references for individual vulnerability details...

CLEANSTART-2026-JZ43336 During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions

Multiple security vulnerabilities affect the percona-xtradb-cluster-operator package. During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions. See references for individual vulnerability details...

CLEANSTART-2026-AN01004 filippo

Multiple security vulnerabilities affect the percona-xtradb-cluster-operator-fips package. filippo. See references for individual vulnerability details...