CVE-2026-39339

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution

The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file i.e., \\sms,...

PT-2026-44832

Incorrect permission settings on a critical resource in Suprema BioStar 2 versions 2.9.3 through 2.9.11 that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly...

CVE-2026-44330

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token e.g. Authorization...

GHSA-3JMG-P96M-M328 FileBrowser Quantum: unauthenticated user share share info

Impact Some sensitive info -- such as source and path can get exposed. Patches Update to the latest version Workarounds no...

PT-2026-42046

Impact Some sensitive info -- such as source and path can get exposed. Patches Update to the latest version Workarounds no...

CVE-2026-42552

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::error writes the full exception message, exception code, and stack trace including absolute filesystem paths directly into the HTTP 500 response, with no debug gating. Production deployments leak...

GHSA-X7Q7-FCHV-8H2J Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj

Impact Prototype pollution is possible when property paths contain proto/constructor/prototype. The property path must not be exposed as user input...

GHSA-7FW3-X4R2-G7WC Portainer has a bind-mount restriction bypass via HostConfig.Mounts

Summary Portainer offers an environment-level Disable bind mounts for non-administrators security setting that blocks regular users from binding host paths into containers they create through the Portainer-mediated Docker API. The check that enforces this setting only inspected the legacy...

CVE-2026-42593

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf +...

CVE-2026-44002

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class intended as a safe wrapper for V8's native CallSite blocks getThis and getFunction to prevent host object leakage, but allows getFileName to return unsanitized host absolute paths. Any sandboxed code can...

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node.js modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from the CallSite wrapper class allowing...

Duplicate Advisory: OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2f7j-rp58-mr42. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin...

CVE-2026-41339

OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks...

BIT-OAUTH2-PROXY-2026-41059 OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex; use of patterns...

CVE-2026-41060

WWBN AVideo is an open source video platform. In versions 29.0 and below, the isSSRFSafeURL function in objects/functions.php contains a same-domain shortcircuit lines 4290-4296 that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares on...

CVE-2026-41060 AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL

WWBN AVideo is an open source video platform. In versions 29.0 and below, the isSSRFSafeURL function in objects/functions.php contains a same-domain shortcircuit lines 4290-4296 that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares on...

PT-2026-34205

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The isSSRFSafeURL function in objects/functions.php contains a same-domain shortcircuit that allows any URL with a hostname matching webSiteRootURL to bypass Server-Side Request Forgery SSRF...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients

Summary Before OpenClaw 2026.4.2, the Gateway connect success snapshot exposed local configPath and stateDir metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role. Impact A non-admin client...