232 matches found
EUVD-2026-39517
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute...
CVE-2026-56767
Maxun before version 0.0.42 is affected by a cross-tenant insecure direct object reference in storage and webhook API handlers. Authenticated users can bypass ownership checks to read other users’ robots and OAuth tokens, including plaintext Google and Airtable tokens, and can modify, delete, or ...
CVE-2026-56767 Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute...
CVE-2026-56767 Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute...
CVE-2025-68840
Unauthenticated Cross Site Scripting XSS in iRobots.txt SEO = 1.1.2 versions...
PT-2026-49350
Unauthenticated Cross Site Scripting XSS in iRobots.txt SEO = 1.1.2 versions...
Malicious code in express-timer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683 express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on...
Crawlee for Python: SSRF via sitemap-derived URLs
Overview - Vulnerability type: Blind SSRF - Affected components: src/crawlee/utils/sitemap.py, src/crawlee/utils/robots.py, src/crawlee/requestloaders/sitemaprequestloader.py, and all built-in HTTP clients. - Trigger: an attacker-controlled sitemap or robots.txt containing a URL that points to an...
GHSA-3R75-XC34-5F44 Crawlee for Python: SSRF via sitemap-derived URLs
Overview - Vulnerability type: Blind SSRF - Affected components: src/crawlee/utils/sitemap.py, src/crawlee/utils/robots.py, src/crawlee/requestloaders/sitemaprequestloader.py, and all built-in HTTP clients. - Trigger: an attacker-controlled sitemap or robots.txt containing a URL that points to an...
PT-2026-42667
Name of the Vulnerable Software and Affected Versions Crawlee versions 1.0.0 through 1.6.9 Description Crawlee is subject to a blind Server-Side Request Forgery SSRF when processing sitemap-derived URLs or robots.txt directives. The issue occurs when an attacker-controlled sitemap or robots.txt...
Universal Robots Polyscope 5
ADVISORY SUMMARY Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Minimize network exposure for...
CVE-2026-8153
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS...
Yarbo responds to robot flaws that could mow down their owners
A researcher found that Yarbo yard robots came with a host of vulnerabilities which, among others, allowed an attacker to harvest WiFi passwords. Security researcher Andreas Makris found he could remotely hijack thousands of Yarbo yard robots worldwide, and proved it by having his mower run him...
EUVD-2026-28548
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.21.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS...
CVE-2026-8153
CVE-2026-8153 describes an OS command injection in the Dashboard Server interface of Universal Robots’ PolyScope (versions prior to 5.21.1). The vulnerability allows an unauthenticated attacker over the network to craft commands that execute code on the robot’s OS, with critical impact (CVSS v3.1...
CVE-2026-8153
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS...
CVE-2026-8153 Command injection in Dashboard Server interface
OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS...
PT-2026-38911
Name of the Vulnerable Software and Affected Versions Universal Robots PolyScope versions prior to 5.25.1 Description OS command injection in the Dashboard Server interface allows an unauthenticated attacker with network access to the Dashboard Server port to craft commands that execute arbitrary...
Farming at the Edge: Where Autonomous Robots and Edge Compute Meet
...
Cybersecurity AI: Hacking Consumer Robots in the AI Era
Is robot cybersecurity broken by AI? Consumer robots -- from autonomous lawnmowers to powered exoskeletons and window cleaners -- are rapidly entering homes and workplaces, yet their security remains rooted in assumptions of specialized attacker expertise. This paper presents evidence that...