CVE-2026-35624 OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

CVE-2026-35624 OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

PT-2026-31760

OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms...

EUVD-2023-2524

Malicious code in bioql PyPI...

CVE-2024-42771

A Stored Cross Site Scripting XSS vulnerability was found in " /admin/editroomcontroller.php" of the Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "roomname" parameter...

PT-2024-30142 · Unknown · Kashipara Hotel Management System

Name of the Vulnerable Software and Affected Versions: Kashipara Hotel Management System version 1.0 Description: A Stored Cross Site Scripting XSS issue was found in the "/admin/edit room controller.php" endpoint of the Kashipara Hotel Management System, allowing remote attackers to execute...

Kashipara Hotel Management System 安全漏洞

Kashipara Hotel Management System is a hotel management system from Kashipara. A cross-site scripting vulnerability exists in Kashipara Hotel Management System v1.0, which stems from the lack of effective filtering and escaping of user-supplied data in the roomname parameter of...

CVE-2024-42771

CVE-2024-42771 affects Kashipara Hotel Management System v1.0, specifically the /admin/edit_room_controller.php endpoint. The vulnerability is Stored XSS via the room_name parameter, allowing remote attackers to inject and execute arbitrary scripts in the context of the affected web application. ...

Cros secrets may be disclosed to untrusted relay

An issue was discovered in Croc before 9.6.16. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name...

CVE-2023-43617

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name...

CVE-2023-43617

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name...

Design/Logic Flaw

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name...

CVE-2023-43617

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name...

PT-2023-28878 · Croc · Croc

Name of the Vulnerable Software and Affected Versions: Croc versions prior to 9.6.16 Description: An issue was discovered in Croc where parts of a custom shared secret may be divulged to an untrusted Relay when composing a room name. This occurs when a custom shared secret is used. Recommendation...

Exploit for Code Injection in Digitaldruid Hoteldruid

CVE-2022-22909 Hotel Druid 3.0.3 - Remote Code Execution RCE...

CVE-2022-22909

HotelDruid v3.0.3 was discovered to contain a remote code execution RCE vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module...

Cross site scripting

OX App Suite 7.10.5 allows XSS via an OX Chat room name...

Heap overflow

The Local ZIM Server zcs.exe in Zilab Chat and Instant Messaging ZIM Server 2.1 and earlier allow remote attackers to execute arbitrary code via 1 heap-based buffer overflows involving multiple vectors including a long room name and a long source account, and 2 a stack-based buffer overflow with ...

Digirez 3.4 - Multiple Cross-Site Scripting Vulnerabilities

source: https://www.securityfocus.com/bid/24157/info Digirez is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials and to launch other...

Cross site scripting

Cross-site scripting XSS vulnerability in info.php in flashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via a channel title aka room name that is not properly handled by the "who's online" feature...