CVE-2026-33987 FreeRDP: Persistent Cache bmpSize Desync - Heap OOB Write

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistentcachereadentryv3 in libfreerdp/cache/persistent.c, persistent-bmpSize is updated before winpralignedrecalloc. If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This...

CVE-2026-33982 FreeRDP: Persistent Cache Allocator Mismatch - Heap OOB Read

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpralignedoffsetrecalloc. This issue has been patched in version 3.24.2...

CVE-2026-33982

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpralignedoffsetrecalloc. This issue has been patched in version 3.24.2...

OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface

Fixed in OpenClaw 2026.3.24, the current shipping release. Title browser.request still allows POST /reset-profile through the operator.write surface in OpenClaw v2026.3.22 after GHSA-vmhq-cqm9-6p7q Severity Assessment High CWE: - CWE-863: Incorrect Authorization Proposed CVSS v3.1: - 8.1...

GHSA-XP9R-PRPG-373R OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface

Fixed in OpenClaw 2026.3.24, the current shipping release. Title browser.request still allows POST /reset-profile through the operator.write surface in OpenClaw v2026.3.22 after GHSA-vmhq-cqm9-6p7q Severity Assessment High CWE: - CWE-863: Incorrect Authorization Proposed CVSS v3.1: - 8.1...

CVE-2026-33028 Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms Mutex and non-atomic file writes, concurrent requests lead to the severe corruption of the prima...

GHSA-66M2-V9V9-95C3 ci4-cms-erp/ci4ms: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via System Settings – Mail Settings Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Mail Settings Configuration Fields Description The application fails to properly sanitize user-controlled input withi...

FreeRDP 安全漏洞

FreeRDP is an open source Remote Desktop Protocol RDP implementation library and client . FreeRDP suffers from a heap buffer overflow vulnerability. The vulnerability arises due to an out-of-bounds heap memory write due to a bmpSize synchronization error in the persistent cache. An attacker can...

CVE-2026-33987

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, in persistentcachereadentryv3 in libfreerdp/cache/persistent.c, persistent-bmpSize is updated before winpralignedrecalloc. If realloc fails, bmpSize is inflated while bmpData points to the old buffer. This...

CVE-2026-33982

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, there is a heap-buffer-overflow READ vulnerability at 24 bytes before the allocation, in winpralignedoffsetrecalloc. This issue has been patched in version 3.24.2...

Wa3r-OffSec-Kit

🔐 Wa3r-OffSec-Kit - Practical Security Tools and Notes !Dow...

SUSE CVE-2026-32771

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals i.e. logs, metrics and distributed traces. In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go lines 248-254 is vulnerable to Path Traversal due to a missing...

Red-MIRROR: Agentic LLM-Based Autonomous Penetration Testing with Reflective Verification and Knowledge-Augmented Interaction

Web applications remain the dominant attack surface in cybersecurity, where vulnerabilities such as SQL injection, XSS, and business logic flaws continue to cause significant data breaches. While penetration testing is effective for identifying these weaknesses, traditional manual approaches are...

GHSA-CW7V-45WM-MCF2 Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload

Duplicate Advisory This advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references. Original Description Summary Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a...

Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload

Duplicate Advisory This advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references. Original Description Summary Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a...

CVE-2021-27463

A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected applications utilize persistent cookies where the session cookie attribute is not properly invalidated, allowing an attacker to intercept the cookies and gain access to sensitive...

CVE-2026-29905

Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent Denial of Service DoS via a malformed image upload. The application fails to properly validate the return value of the PHP getimagesize function. When the system attempts to process this file for...

Clawed and Dangerous: Can We Trust Open Agentic Systems?

Open agentic systems combine LLM-based planning with external capabilities, persistent memory, and privileged execution. They are used in coding assistants, browser copilots, and enterprise automation. OpenClaw is a visible instance of this broader class. Without much attention yet, their securit...

EUVD-2026-16293

thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter...

GO-2026-4708 SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan

SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes in github.com/siyuan-note/siyuan...