CVE-2026-44993

OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been...

CVE-2026-3635

Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...

CVE-2026-3635 Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function

Summary When trustProxy is configured with a restrictive trust function e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function, the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including...

CVE-2026-3635

CVE-2026-3635 : In Fastify (affected: fastify

com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects

A flaw was found in mchange-commons-java, a Java utility library. An attacker can exploit this vulnerability by providing a maliciously crafted javax.naming.Reference or serialized object to an application using the library. This can provoke the application to download and execute arbitrary...

OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the dm reaction notification process. An attacker can bypass authorization checks and enqueue unauthorized reaction-derived system events by reacting to...

GHSA-354R-7MFH-7RH2 OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

Summary In OpenClaw = 2026.2.25 Fix Commits - aedf62ac7e669a89c7b299201bf6537dc6b12e0e Release Process Note patchedversions is pre-set to the release 2026.2.25 so after npm release the advisory is published. Thanks @tdjackey for reporting...

SUSE CVE-2026-27727

mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an...

EUVD-2026-8683

mchange-commons-java: Remote Code Execution via JNDI Reference Resolution...

Improper Access Control

github.com/kyverno/kyverno is vulnerable to Improper Access Control. The vulnerability is due to incorrect handling of multiple policy exceptions in enforce mode, which allows an attacker to bypass enforced policies by leveraging a less restrictive exception even when a more restrictive exception...

CVE-2025-68146

A flaw was found in filelock. This vulnerability allows local attackers to corrupt or truncate arbitrary user files via a Time-of-Check-Time-of-Use TOCTOU race condition and symlink attacks. Mitigation Ensure lock file directories used by applications employing filelock have restrictive...

CVE-2025-68146

CVE-2025-68146 affects the Python filelock package. A TOCTOU race in lock file creation allows local attackers with filesystem access to exploit symlinks and truncate target files. The vulnerability exists in UnixFileLock and WindowsFileLock for versions before 3.20.1; an attacker can create a sy...

Incorrect Default Permissions

Overview bzfs is a bzfs is a reliable near real-time, parallel replication and backup command-line tool for ZFS. It replicates snapshots from many local or remote source ZFS datasets and their descendants to local or remote destination datasets, using zfs send/receive and ssh, and can operate at...

EUVD-2019-18856

Malware in sbrugna...

EUVD-2025-6915

Malicious code in bioql PyPI...

CVE-2022-39338

useroidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this...

PT-2025-21248 · Oa System · Oa System

Name of the Vulnerable Software and Affected Versions: OA System versions prior to 2025.01.01 Description: A cross-site scripting XSS issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the password parameter at the "/mail/MailController.java"...

GO-2025-3586 Rancher: Restricted Administrator can change Administrator's passwords in github.com/rancher/rancher

Rancher: Restricted Administrator can change Administrator's passwords in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

CVE-2024-8024

CVE-2024-8024 : A misconfigured Cross-Origin Resource Sharing (CORS) policy in netease-youdao/qanything version 1.4.1 allows cross-origin requests to bypass the Same-Origin Policy, potentially exposing sensitive information. The root cause is improper CORS configuration; no specific exploit detai...