CVE-2026-32913

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intend...

CVE-2026-32913

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intend...

EUVD-2026-14599

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intend...

CVE-2026-32913 OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects

OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intend...

PT-2026-27245

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.7 Description OpenClaw’s fetchWithSsrFGuard... function improperly validates headers during cross-origin redirects, allowing custom authorization headers like X-Api-Key and Private-Token to be forwarded to a...

WordPress plugin RestroPress 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. An information...

CVE-2024-13693

The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive...

PT-2025-7820 · WordPress · Enfold

Name of the Vulnerable Software and Affected Versions: Enfold theme for WordPress versions up to, and including, 6.0.9 Description: The issue allows unauthorized access to data due to a missing capability check in the avia-export-class.php file. This enables unauthenticated attackers to export al...

New Relic: Steal any user in your orgs private GitHub token by pointing the GH integration at an attacker controlled GHE instance

@archangel reported that a flaw in New Relic's Github configuration could have allowed a malicious actor to steal the private GitHub token of any user in the organization by pointing the GH integration at an attacker-controlled GHE instance...

GitLab: Attacker can post notes on private MR, snippets, and issues

Vulnerability details By sending a specially crafted request to the GitLab API, an attacker can post notes on merge requests, snippets, and issues it doesn't have access to. This could execute additional note hooks that were configured by the project administrator. Proof of concept As a victim,...