EUVD-2026-31469

Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...

DENX Software Engineering Das U-Boot 访问控制错误漏洞

DENX Software Engineering's Das U-Boot is a general-purpose bootloader developed by the German company DENX Software Engineering. Versions of DENX Software Engineering's Das U-Boot prior to version 2026.04 contained an access control vulnerability. This vulnerability stemmed from the omission of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config

NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities stemmed from a check-time-based flaw in sandbox file operations, allowing attackers to bypass defenses based on file...

OpenClaw 跨站请求伪造漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from a lack of browser source verification at the HTTP operator endpoint when running in a...

mailcow: dockerized 跨站脚本漏洞

mailcow: dockerized is a dockerized version of the mailcow open-source application. Versions of mailcow before 2026-03b contained a cross-site scripting vulnerability. This vulnerability stemmed from the fact that the isolated details modal boxes did not escape the attachment file names, allowing...

CVE-2026-35173 Chyrp Lite has an IDOR via Mass Assignment in Post Model

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, an IDOR / Mass Assignment issue exists in the Post model that allows authenticated users with post editing permissions Edit Post, Edit Draft, Edit Own Post, Edit Own Draft to modify posts they do not own and do not have...

EUVD-2026-17371

OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters...

EVerest 竞争条件问题漏洞

EVerest is an open-source firmware for electric vehicle charging stations developed by EVerest. Versions of EVerest prior to 2026.02.0 contained a race condition vulnerability. This vulnerability stemmed from undefined C++ behavior due to data races, which could lead to memory corruption...

GHSA-X742-88JJ-7HV9 Duplicate Advisory: allowlist exec-guard bypass via env -S

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48wf-g7cp-gr3m. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows...

GHSA-XRGV-34CC-Q765 Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9868-vxmx-w862. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.1 contained security vulnerabilities. These vulnerabilities stemmed from an unlimited memory growth issue in the Zalo webhook endpoint. This could allow unverified attackers to...

EUVD-2026-12710

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin...

CVE-2026-28477

OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token...

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.14 had code-related vulnerabilities. These vulnerabilities stemmed from insufficient constraints on the hook module paths configured by the gateway, allowing attackers with access to modify the gatew...

CVE-2026-1337

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat...

Kodmatic Online Exam and Assessment SQL Injection Vulnerability

Kodmatic Online Exam and Assessment is an online examination software developed by Kodmatic Corporation. Versions of Kodmatic Online Exam and Assessment prior to 30012026 contained a SQL injection vulnerability. This vulnerability stemmed from improper neutralization of special elements in SQL...

Foxit eSign security vulnerability

Foxit eSign is an electronic signature service software developed by the American company Foxit. Versions of Foxit eSign prior to 2026‑01‑16 contained security vulnerabilities. These vulnerabilities stemmed from URL parameters being directly embedded into JavaScript code or HTML attributes withou...

CVE-2025-34322 Nagios Log Server < 2026R1.0.1 Authenticated Command Injection via Natural Language Queries

Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection parameters—are read from the...