58578 matches found
Improper Handling of Insufficient Permissions or Privileges
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via the operator.write module reaching admin-class Talk Voice configuration persistence through chat.send. An attacker can gain...
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
Summary Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow...
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
Summary /phone arm//phone disarm Bypasses operator.admin Scope Check for External Channels Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped...
GHSA-H2V7-XC88-XX8C OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
Summary /phone arm//phone disarm Bypasses operator.admin Scope Check for External Channels Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped...
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683
CVE-2026-22683 affects Windmill versions 1.56.0–1.614.0, where missing authorization checks on the Operator role allow prohibited entity creation and modification via the backend API. Operators can create/update scripts, flows, apps, and raw_apps, and can execute scripts via the jobs API, enablin...
Security Bulletin: IBM App Connect Enterprise Certified Container operator is vulnerable to denial of service (CVE-2026-25518)
Summary Golang module cert-manager/cert-manager is used by IBM App Connect Enterprise Certified Container for interacting with the Kubernetes cluster cert-manager. IBM App Connect Enterprise Certified Container operator is vulnerable to denial of service. This bulletin provides patch information ...
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality (CVE-2025-64718)
Summary Node.js module js-yaml is used by IBM App Connect Enterprise Certified Container for parsing YAML data. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in...
CLEANSTART-2026-HX94762 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing
Multiple security vulnerabilities affect the prometheus-operator package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. See references for individual vulnerability details...
PT-2026-30913
Name of the Vulnerable Software and Affected Versions Windmill versions 1.56.0 through 1.614.0 Description Windmill versions 1.56.0 through 1.614.0 have a missing authorization vulnerability. Users with the Operator role can perform prohibited entity creation and modification actions via the...
Windmill 安全漏洞
Windmill is a low-code development platform open-source by Windmill Labs, Inc. Versions of Windmill from 1.56.0 to 1.614.0 contain security vulnerabilities. These vulnerabilities stem from lack of authorization, which may allow users with the Operator role to perform prohibited entity creation an...
CVE-2026-34217
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to...
CVE-2026-34217
CVE-2026-34217 (SandboxJS) affects @nyariv/sandboxjs
CVE-2026-34217 SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to...
CVE-2026-34217 SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to...
CLEANSTART-2026-SQ68600 Security fixes for CVE-2023-45288, CVE-2024-24786, CVE-2024-45338, CVE-2025-22868, CVE-2025-22869, CVE-2025-22872, CVE-2025-47911, CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-58190, CVE-2025-65637, ghsa-4f99-4q7p-p3gh, ghsa-4v7x-pqxf-cx7m, ghsa-6v2p-p543-phr9, ghsa-8r3f-844c-mc37, ghsa-f6x5-jh6r-wrfv, ghsa-hcg3-q754-cr77, ghsa-j5w8-q4qc-rx2x, ghsa-qxp5-gwg8-xv66, ghsa-v778-237x-gjrc, ghsa-vvgc-356p-c3xw applied in versions: 1.18.2-r0
Multiple security vulnerabilities affect the kube-fluentd-operator package. These issues are resolved in later releases. See references for individual vulnerability details...
CLEANSTART-2026-WI06218 Security fixes for CVE-2026-25679, CVE-2026-27139, CVE-2026-27142 applied in versions: 1.15.1-r0
Multiple security vulnerabilities affect the postgres-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...