CLEANSTART-2026-BA09462 OpenTelemetry-Go is the Go implementation of OpenTelemetry

Multiple security vulnerabilities affect the cass-operator-fips package. OpenTelemetry-Go is the Go implementation of OpenTelemetry. See references for individual vulnerability details...

CLEANSTART-2026-UQ00642 Docker CLI for Windows searches for plugin binaries in C:\\\\ProgramData\\\\Docker\\\\cli-plugins, a directory that does not exist by default

Multiple security vulnerabilities affect the minio-operator-fips package. Docker CLI for Windows searches for plugin binaries in C:\\ProgramData\\Docker\\cli-plugins, a directory that does not exist by default. See references for individual vulnerability details...

CLEANSTART-2026-UF78567 net/url package does not set a limit on the number of query parameters in a query

Multiple security vulnerabilities affect the minio-operator-fips package. The net/url package does not set a limit on the number of query parameters in a query. See references for individual vulnerability details...

CLEANSTART-2026-ST75560 During the TLS 1

Multiple security vulnerabilities affect the minio-operator-fips package. During the TLS 1. See references for individual vulnerability details...

CLEANSTART-2026-OT38160 url

Multiple security vulnerabilities affect the minio-operator-fips package. url. See references for individual vulnerability details...

CLEANSTART-2026-HZ73294 Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service

Multiple security vulnerabilities affect the kube-fluentd-operator package. Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. See references for individual...

PT-2026-31659

Name of the Vulnerable Software and Affected Versions Aiven Operator versions 0.31.0 through 0.36.9 Description Aiven Operator allows provisioning and management of Aiven Services from a Kubernetes cluster. A developer with create permission on ClickhouseUser Custom Resource Definitions CRDs in...

Aiven Operator 安全漏洞

Aiven Operator is an open-source Kubernetes cluster management service developed by Aiven. Versions of Aiven Operator from 0.31.0 to 0.37.0 contained a security vulnerability. This vulnerability stemmed from the operator trusting the namespace values provided by users without verification. As a...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from improper access control in the HTTP /sessions/:sessionKey/kill route. As a result, any user with a toke...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcement of the operator.admin scope for mutated internal ACP chat commands, which could...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities stemmed from allowing attackers with the operator.read scope to expose credentials, potentially leading to informati...

PT-2026-31778

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.25 Description OpenClaw contains a privilege escalation issue in the gateway plugin subagent's deleteSession function. This function utilizes a synthetic operator.admin runtime scope, allowing attackers to...

GHSA-XMRV-PMRH-HHX2 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-wafv2, trivy, influxd, nuclei, commercial-chainloop-backend, loki, terragrunt, gitlab-runner, crossplane-provider-aws-cloudwatchlogs-fips, crossplane-provider-aws-route53-fips, kubescape-server, crossplane-provider-aws-elasticache, dapr,...

CLEANSTART-2026-TI57220 url

Multiple security vulnerabilities affect the prometheus-operator package. url. See references for individual vulnerability details...

Addressable has a Regular Expression Denial of Service in Addressable templates

Impact Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking: 1. Templates using the explode modifier with any expansion operator e.g., foo, +var, var, /var, .var, ;var, ?var, &var generate patterns...

OpenClaw has an unspecified vulnerability (CNVD-2026-16698)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause an attacker with operator.pairing privileges to cast tokens with broader privileges to obtain an operator.admin token and execute...

OpenClaw has an unspecified vulnerability (CNVD-2026-16694)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause an authenticated operator with only operator.write privileges to access the administrator-specific browser profile management rout...

Addressable has a Regular Expression Denial of Service in Addressable templates

Impact Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking: 1. Templates using the explode modifier with any expansion operator e.g., foo, +var, var, /var, .var, ;var, ?var, &var generate patterns...

EUVD-2026-19747

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

GHSA-767M-XRHC-FXM7 OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send

Summary Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Telegram config or cron persistence bug, but it is an authenticated...