24 matches found
CVE-2026-42435
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and...
CVE-2026-42435
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and...
CVE-2026-42435 OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and...
CVE-2026-42435
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and...
EUVD-2026-27253
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and...
PT-2026-37007
Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.22 through 2026.4.11 Description Insufficient shell-wrapper detection allows attackers to inject environment variable assignments at the argv level. This enables the bypass of exec preflight handling to manipulate...
GHSA-FVX6-PJ3R-5Q4Q OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Summary Before OpenClaw 2026.4.2, exec script preflight validation could fail open on complex interpreter invocations such as pipes or other non-simple command forms. In those cases, script-content validation could be skipped entirely. Impact An attacker-controlled command shape could bypass the...
GHSA-RF75-G96H-J3RM Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references. Original Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protecti...
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references. Original Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protecti...
CVE-2026-34425
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass in the shell-bleed protection. The bypass lets attackers craft piped, subshell, or command-substitution forms that the parser fails to recognize, enabling execution of blocked script content that would otherwise be bl...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
GHSA-V66J-6WWF-JC57 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Summary A Cross-Site Request Forgery CSRF vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or...
Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Summary A Cross-Site Request Forgery CSRF vulnerability was identified in Mercurius versions 16. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2025-64166 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2025-64166 Mercurius: Incorrect Content-Type parsing can lead to CSRF attack
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery CSRF vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as...
CVE-2025-64166
Mercurius (GraphQL adapter for Fastify) has a CSRF flaw prior to v16.4.0 caused by incorrect parsing of Content-Type headers. Requests with Content-Type like application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json, bypassing fetch() prefli...
PT-2026-23452
Name of the Vulnerable Software and Affected Versions Mercurius versions prior to 16.4.0 Description Mercurius, a GraphQL adapter for Fastify, was found to have a cross-site request forgery CSRF issue. The problem stems from the incorrect parsing of the Content-Type header in requests...
SUSE CVE-2015-4520
Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to bypass CORS preflight protection mechanisms by leveraging 1 duplicate cache-key generation or 2 retrieval of a value from an incorrect HTTP Access-Control- response header...