Lucene search
K

508 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.6 views

CVE-2026-32896

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...

6.5CVSS5.8AI score0.00249EPSS
Exploits0References1
OSV
OSV
added 2026/03/21 3:31 a.m.4 views

GHSA-VH4C-J2XV-9PV9 Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path...

6.3CVSS5.7AI score0.00249EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/21 3:31 a.m.10 views

Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path...

6.5CVSS5.7AI score0.00249EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/03/21 3:31 a.m.4 views

EUVD-2026-13972

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...

6.3CVSS5.8AI score0.00249EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/21 12:42 a.m.4 views

CVE-2026-32896 OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin

The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the...

6.3CVSS5.8AI score0.00249EPSS
Exploits0References4
CVE
CVE
added 2026/03/21 12:42 a.m.18 views

CVE-2026-32896

The issue is OpenClaw versions prior to 2026.2.21 where the BlueBubbles webhook handler contains a passwordless fallback authentication path. This allows unauthenticated webhook events in certain reverse-proxy or local routing configurations by exploiting loopback/proxy heuristics, enabling an at...

6.5CVSS5.8AI score0.00249EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/21 12:42 a.m.28 views

CVE-2026-32896 OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin

The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the...

6.3CVSS0.00249EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/21 12:0 a.m.8 views

OpenClaw 访问控制错误漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that stems from the BlueBubbles webhook handler containing a passwordless fallback authentication path, which can be exploited by an attacker to cause an...

6.5CVSS5.8AI score0.00249EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.7 views

PT-2026-26745

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy...

6.3CVSS5.8AI score0.00249EPSS
Exploits0References5
AlpineLinux
AlpineLinux
added 2026/03/18 5:53 p.m.2 views

CVE-2026-32633

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.getserverslist. Those objects are mutated in-place during background polling and can contain a uri...

9.1CVSS5.8AI score0.00472EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/18 5:53 p.m.3 views

CVE-2026-32633

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.getserverslist. Those objects are mutated in-place during background polling and can contain a uri...

9.1CVSS5.8AI score0.00472EPSS
Exploits1References4Affected Software1
GithubExploit
GithubExploit
added 2026/03/17 9:24 p.m.148 views

Exploit for OS Command Injection in Nagios Nagios_Xi

Nagios-CVE-2019-15949-RCE-Poc a python PoC for the CVE-2019-15...

9CVSS5.8AI score0.77741EPSS
Exploits13
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.5 views

Pocket ID 安全漏洞

Pocket ID is an open-source identity provider that supports passwordless authentication. Versions of Pocket ID prior to 2.4.0 contained a security vulnerability. This vulnerability stemmed from the OIDC token endpoint only refusing authorization codes when the client ID was incorrect and the code...

8.5CVSS7.3AI score0.00257EPSS
Exploits1References2
Packet Storm News
Packet Storm News
added 2026/03/08 12:0 a.m.2 views

Broken Access: On the Challenges of Screen Reader Assisted Two-Factor and Passwordless Authentication

In today's technology-driven world, web services have opened up new opportunities for blind and visually impaired people to interact independently. Securing interactions with these services is crucial; however, currently deployed authentication mainly concentrate on sighted users, overlooking the...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/03/04 10:53 p.m.5 views

ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

Summary A vulnerability in Zitadel's login V2 interface was discovered, allowing for possible account takeover. Impact Zitadel allows organization administrators to change the default redirect URI for their organization. This setting enables them to redirect users to an arbitrary location after...

7.7CVSS6.2AI score0.00318EPSS
Exploits0References4Affected Software2
Snyk
Snyk
added 2026/03/04 10:53 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/04 10:53 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the login UI due to improper handling of the default redirect URI. An attacker can execute arbitrary JavaScript code in the victim's browser by setting a malicious redirect URI, potentially allowing them to...

8.3CVSS5.7AI score0.00318EPSS
Exploits0References2
Rows per page
Query Builder