9 matches found
CVE-2026-32043
OpenClaw has a TOCTOU vulnerability affecting versions before 2026.2.25 in the approval-bound system.run execution path. The cwd is validated at approval but resolved at execution time, allowing an attacker to retarget a symlinked cwd between approval and execution and bypass command restrictions...
CVE-2026-32043 OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass comma...
Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations
This report shows a scope-widening issue in the rotate re-encrypt flow: the output scope can be derived from untrusted spec.template.metadata.annotations on the input sealed secret. If a victim sealed secret is strict- or namespace-scoped, an attacker who can submit it to the rotate endpoint can...
GHSA-465P-V42X-3FMJ Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations
This report shows a scope-widening issue in the rotate re-encrypt flow: the output scope can be derived from untrusted spec.template.metadata.annotations on the input sealed secret. If a victim sealed secret is strict- or namespace-scoped, an attacker who can submit it to the rotate endpoint can...
CVE-2026-22728
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...
CVE-2026-22728 sealed-secrets /v1/rotate can widen sealing scope to cluster-wide via attacker-controlled template annotations
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during the secret rotation /v1/rotate flow. The rotation handler derives the sealing scope for the newly encrypted output from untrusted spec.template.metadata.annotations present in the input SealedSecret. By submitting a victim...
CVE-2023-37891 WordPress Exit Popups & Onsite Retargeting by OptiMonk Plugin <= 2.0.4 is vulnerable to Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery CSRF vulnerability in OptiMonk OptiMonk: Popups, Personalization & A/B Testing plugin = 2.0.4 versions...
Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful
...
HBO sued for sharing subscriber data with Facebook
HBO Max subscribers Angel McDaniel and Constance Simon filed a class-action lawsuit against HBO on Tuesday, alleging that the company has violated their privacy by sharing subscriber viewing data with Facebook. Bursor & Fisher filed the case on behalf of McDaniel and Simon. According to case...