OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes

Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITESCOPE, but impact should stay limited to plugin routes that actually tou...

GHSA-MHGQ-XPFQ-6R66 OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes

Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITESCOPE, but impact should stay limited to plugin routes that actually tou...

MAL-2025-145489 Malicious code in nightwatch-terser-webpack-plugin-auth-callisto (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b8330b970ea27a9a8326babaa86a72618b895c2a775a610dbb6a8d80ff93ff11 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

@app-box/web (=1.0.0), @comet/cms-site (>=3.0.0-canary.160.0 <=4.0.0-canary.1049.0) +33 more potentially affected by CVE-2022-24858 via next-auth (>=0.0.0-manual.83c4ebd1 <=3.29.10)

next-auth NPM version =0.0.0-manual.83c4ebd1, =3.0.0-canary.160.0, =2.0.1-canary.24.0, =1.0.99-0.next12, =0.1.0, =0.46.0, =0.30.0, =0.3.0, =0.10.0, =0.2.0, =0.3.0, =0.3.0, =0.4.0, =0.1.0, =0.1.3 and more Source cves: CVE-2022-24858 Source advisory: OSV:GHSA-F9WG-5F46-CJMW...

Cross-Site Scripting vulnerability in @backstage/plugin-auth-backend

Impact This vulnerability allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but i...

CVE-2021-43776

Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other...

CVE-2021-43776 XSS vulnerability in @backstage/plugin-auth-backend

Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other...