CVE-2026-47125

CVE-2026-47125 — Arcane global variables endpoint lacks admin authorization Affected: Arcane interface for Docker management (before 1.19.2) via PUT /api/environments/{id}/templates/variables that writes the system-wide .env.global. Root cause: missing admin check in the UpdateGlobalVariables han...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +13 more potentially affected by CVE-2026-41348 via openclaw (>=2026.3.22 <=2026.3.28)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-41348 Source advisory: SNYK:JS-OPENCLAW-15893805...

CVE-2026-30920

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the...

app.valuationcontrol:webservice (>=0.5.0 <=0.5.1), ba.sake:deder-publish-example_3 (=0.0.1) +1353 more potentially affected by CVE-2025-12543 via io.undertow:undertow-core (>=2.3.0.Alpha1 <=2.3.20.Final)

io.undertow:undertow-core MAVEN version =2.3.0.Alpha1, =0.5.0, =0.10.0, =0.0.7, =1.1.15, =1.0.6, =1.0.6, =1.0.6, =2.0.1, =1.0.6, =1.0.6, =1.0.6, =1.0.6, =1.0.6, =2.1.1 and more Source cves: CVE-2025-12543 Source advisory: SNYK:JAVA-IOUNDERTOW-14908846...

Reserved token rounding can be abused to honeypot and steal user's funds

Lines of code Vulnerability details Description When the project wishes to mint reserved tokens, they call mintReservesFor which allows minting up to the amount calculated by DelegateStore's numberOfReservedTokensOutstandingFor. The function has this line: // No token minted yet? Round up to 1. i...