Linux Distros Unpatched Vulnerability : CVE-2026-21715

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable...

EUVD-2026-11593

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files results in path traversal. Remote exploitation of the attack is possible. The exploit is now...

CVE-2026-4044 projectsend Delete import-orphans.php realpath path traversal

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files results in path traversal. Remote exploitation of the attack is possible. The exploit is now...

CVE-2026-4044 projectsend Delete import-orphans.php realpath path traversal

A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. Performing a manipulation of the argument files results in path traversal. Remote exploitation of the attack is possible. The exploit is now...

CVE-2026-4044

The vulnerability CVE-2026-4044 affects projectsend up to r1945, specifically the realpath function in /import-orphans.php within the Delete Handler. Manipulating the files[] argument enables path traversal, enabling remote exploitation. The exploit is public; vendor was contacted but did not res...

PT-2026-24962

Name of the Vulnerable Software and Affected Versions projectsend versions prior to r1945 Description A flaw exists in projectsend that allows for path traversal. This issue affects the realpath function within the /import-orphans.php file of the Delete Handler component. Manipulating the files...

GHSA-9MPH-4F7V-FMVH OpenClaw has agent avatar symlink traversal in gateway session metadata

Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses. Impact - Confidentiality impact: local file read in the gateway process context. - Exfiltration path: agents.list can return the...

OpenClaw has agent avatar symlink traversal in gateway session metadata

Summary A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses. Impact - Confidentiality impact: local file read in the gateway process context. - Exfiltration path: agents.list can return the...

CLSA-2026-1772631219 python3: Fix of 5 CVEs

CVE-2024-12718: extractall: re-apply the filter at directory-attribute fixup, skip fixup if the entry is no longer a directory - CVE-2025-4138: datafilter: strip .. components from symlink targets in datafilter to prevent traversal via symlinks in the link target - CVE-2025-4330: re-apply filter...

OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read

Summary The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads. Affected Packages / Versions - Package: openclaw npm - Latest published...

GHSA-5GHC-98WH-GWWF OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read

Summary The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads. Affected Packages / Versions - Package: openclaw npm - Latest published...

GHSA-Q399-23R3-HFX4 OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind

Summary For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv0 tokens for example tr. If PATH resolution changed after approval, execution could run a different binary. Impact A previously approved action could execute a different...

OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind

Summary For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv0 tokens for example tr. If PATH resolution changed after approval, execution could run a different binary. Impact A previously approved action could execute a different...

PT-2026-26237

Summary For host=node runs, approvals validated command context but did not pin executable identity for non-path-like argv0 tokens for example tr. If PATH resolution changed after approval, execution could run a different binary. Impact A previously approved action could execute a different...

PT-2026-26401

Summary The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads. Affected Packages / Versions - Package: openclaw npm - Latest published...

Exploit for CVE-2025-4138

CVE-2025-4138 Python Tarfile module Directory Traversal Vulne...

Exploit for CVE-2025-4517

CVE-2025-4517 / CVE-2025-4330 — Python tarfile Data Filter B...

MiracleLinux 8 : nodejs:12 (AXSA:2020-792:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-792:01 advisory. nodejs-dot-prop: prototype pollution CVE-2020-8116 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion CVE-2020-8201 npm: Sensitive...

MiracleLinux 7 : rh-nodejs12-nodejs-12.18.4-3.el7 (AXSA:2020-894:04)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-894:04 advisory. nodejs-dot-prop: prototype pollution CVE-2020-8116 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion CVE-2020-8201 npm: Sensitive...

MiracleLinux 7 : rh-nodejs10-nodejs-10.23.1-2.el7 (AXSA:2021-1479:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-1479:01 advisory. libuv: buffer overflow in realpath CVE-2020-8252 nodejs-npm-user-validate: improper input validation when validating user emails leads to ReDoS...