com.arcadedb:arcadedb-bolt (>=26.2.1 <=26.3.2), com.arcadedb:arcadedb-graphql (>=26.1.1 <=26.3.2) +9 more potentially affected by CVE-2026-44221 via com.arcadedb:arcadedb-server (>=26.1.1 <=26.3.2)

com.arcadedb:arcadedb-server MAVEN version =26.1.1, =26.2.1, =26.1.1, =26.1.1, =26.1.1, =26.1.1, =26.1.1, =26.1.1, =26.1.1, =26.1.1, =26.1.1, =26.3.2 - io.github.mdre:adbogm =0.9.0.6 Source cves: CVE-2026-44221 Source advisory: SNYK:JAVA-COMARCADEDB-16638650...

@a-la-fois/api (>=0.0.25 <=0.0.39), @a-la-fois/doc-client (>=0.0.1 <=0.0.39) +115 more potentially affected by CVE-2026-42334 via mongoose (>=7.0.0 <=7.8.8)

mongoose NPM version =7.0.0, =0.0.25, =0.0.1, =0.0.25, =0.0.1, =0.0.25, =3.12.0, =1.0.0, =1.0.6, =0.2.0, =0.2.0, =0.0.0, =1.0.2, =1.0.0, =7.6.10, =7.8.6 and more Source cves: CVE-2026-42334 Source advisory: OSV:GHSA-WPG9-53FQ-2R8H...

NPM: Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

NPM: Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection vulnerability discovered by ? in WordPress Npm mongoose versions = 9.0.0, = 9.1.5...

ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid

SSRF Bypass in ssrfcheck - fails to classify reserved IP address space as invalid ssrfcheck is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs. Resources: Project's GitHub code repository: https://github.com/felippe-regazio/ssrfcheck Project's npm...

GHSA-P4HC-9PJH-55C8 ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid

SSRF Bypass in ssrfcheck - fails to classify reserved IP address space as invalid ssrfcheck is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs. Resources: Project's GitHub code repository: https://github.com/felippe-regazio/ssrfcheck Project's npm...

GHSA-VH75-FWV3-PQRH requests-hardened is Vulnerable to Server-Side Request Forgery

The SSRF protection in requests-hardened prior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space 100.64.0.0/10. An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This i...

arches (=8.0.0a1), avaintegration-metapackage (>=6.0.4.3 <=6.0.4.13) +38 more potentially affected by CVE-2026-5766 via django (>=6.0.0 <=6.0.4)

django PYPI version =6.0.0, =6.0.4.3, =2.0.0, =1.1.0, =0.1.0, =0.4.5 - django-ndr-core =0.70.2 - django-sb-simple-migrations =0.9.0 - django-tasks-aws =0.2.0b1 and more Source cves: CVE-2026-5766 Source advisory: OSV:GHSA-W26R-RMM8-9C29...

arthexis (>=0.2.6 <=0.8.0), cg-django-uaa (=2.1.9) +29 more potentially affected by CVE-2026-35192 via django (>=5.2.0 <=5.2.13)

django PYPI version =5.2.0, =0.2.6, =0.1.0, =0.1.0, =1.3.0, =1.92.0.5, =4.2.0, =0.0.7, =3.0.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-35192 Source advisory: OSV:GHSA-7H2M-M8VJ-598H...

@abtnode/analytics (>=1.16.13 <=1.17.13-beta-20260512-042419-7b556a38), @abtnode/auth (>=1.3.13 <=1.17.13-beta-20260512-042419-7b556a38) +208 more potentially affected by CVE-2026-32689 via phoenix (>=1.7.10 <=1.7.21)

phoenix NPM version =1.7.10, =1.16.13, =1.3.13, =1.1.12, =1.6.23, =1.16.6, =1.0.0, =1.16.33, =1.0.0, =1.0.35, =1.16.33, =1.0.2, =1.16.33, =1.16.33, =1.0.0, =1.17.13-beta-20260512-042419-7b556a38 and more Source cves: CVE-2026-32689 Source advisory: SNYK:JS-PHOENIX-16425773...

arches (=8.0.0a1), avaintegration-metapackage (>=6.0.4.3 <=6.0.4.13) +38 more potentially affected by CVE-2026-5766 via django (>=6.0.0 <=6.0.4)

django PYPI version =6.0.0, =6.0.4.3, =2.0.0, =1.1.0, =0.1.0, =0.4.5 - django-ndr-core =0.70.2 - django-sb-simple-migrations =0.9.0 - django-tasks-aws =0.2.0b1 and more Source cves: CVE-2026-5766 Source advisory: OSV:PYSEC-2026-54...

OpenClaw contains a symlink traversal vulnerability

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended...

NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

NPM: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.1...

EUVD-2026-25605

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data...

EUVD-2026-25608

Axios: Incomplete Fix for CVE-2025-62718 — NOPROXY Protection Bypassed via RFC 1122 Loopback Subnet 127.0.0.0/8 in Axios 1.15.0...

GHSA-PMWG-CVHR-8VH7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

NPM: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver vulnerability discovered by ? in WordPress Npm axios versions = 1.0.0, 1.15.2...

ROS-20260505-73-0077

A vulnerability in the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address and ipaddress.IPv6Network classes of the ipaddress module of the Python programming language interpreter CPython is related to incorrect IP address range validation. Exploitation of the vulnerability could...

ROS-20260505-73-0078

A vulnerability in the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address and ipaddress.IPv6Network classes of the ipaddress module of the Python programming language interpreter CPython is related to incorrect IP address range validation. Exploitation of the vulnerability could...

PT-2026-36964

Name of the Vulnerable Software and Affected Versions Oracle MCP Server Helper Tool versions 1.0.1 through 1.0.156 Description An unauthenticated attacker with network access via HTTP can compromise the Oracle MCP Server Helper Tool. This issue allows the execution of malicious SQL, a technique...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Version 2026.2.23 to 2026.4.12 of OpenClaw contained security vulnerabilities. These vulnerabilities stemmed from weakened exec approval binding during the execution of busybox and toybox mini-programs. This could...