GHSA-3H52-CX59-C456 OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation

Summary Feishu webhook reads and parses unauthenticated request bodies before signature validation Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Feishu...

GO-2025-4049 OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao

OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao...

OpenBao leaks HTTPRawBody in Audit Logs

Impact OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted HMAC'd. This impacted the following subsystems: - When using the ACME functionality of PKI, this would result in short-lived ACME verification challenge codes being leaked...

CVE-2025-62513

CVE-2025-62513 concerns OpenBao versions 2.2.0–2.4.1 where raw HTTP bodies were not redacted in the audit log, exposing ACME verification codes and OIDC/auth-related response data. The root cause is a logging regression affecting audit logs rather than a codepath in normal operation. The issue is...

CVE-2022-23549 Discourse vulnerable to bypass of post max_length using HTML comments

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, users can create posts with raw body longer than the maxlength site setting by including html comments that are not counted toward the...

Node.js: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests

Summary: Node.js is vulnerable to HTTP denial of service DOS attacks based on delayed requests submission which can make the server unable to accept new connections. Description: An attacker can open an arbitrary number of HTTP connections and keep the server busy by never completing the request...