CVE-2026-34941

Wasmtime (WebAssembly runtime) contains a heap OOB read during transcoding of UTF-16 to the latin1+utf16 component-model encoding. The bug stems from validating the input length by code units instead of by byte length, causing reads beyond the WebAssembly linear memory during bounds checking. In ...

GHSA-4F8G-77MW-3RXC OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`

Impact Gateway plugin HTTP auth: gateway widens identity-bearing operator.read requests into runtime operator.write. Plugin HTTP routes using gateway auth could receive runtime write scopes even when the upstream trusted-proxy request only declared read. OpenClaw is a user-controlled local...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

OpenPLC Runtime version 3 安全漏洞

OpenPLC Runtime version 3 is a programmable logic controller developed by Thiago Alves. There is a security vulnerability in OpenPLC Runtime version 3, which stems from the use of unsafe default values during resource initialization. This vulnerability could allow attackers to access the system...

PT-2026-31689

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following...

PT-2026-31684

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 Description Wasmtime, a runtime for WebAssembly, may experience a panic when a flags-typed component model value is lifted with the Val type. This occurs if bits are set outside the...

OpenPLC Runtime version 3 安全漏洞

OpenPLC Runtime version 3 is a programmable logic controller developed by Thiago Alves. There is a security vulnerability in OpenPLC Runtime version 3. This vulnerability stems from the REST API endpoints only checking the existence of JWTs without verifying the caller’s role. This could allow...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from the gateway plugin’s sub-agent’s deleteSession function using a synthesized operator.admin runtime scop...

PT-2026-31719

Name of the Vulnerable Software and Affected Versions versions not specified Description A remote attacker with low privileges can manipulate Modbus register values used in odorant injection logic, potentially causing over or under-injection of odorant into a gas line. Attackers have exploited th...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

Security Bulletin: Denial-of-Service Vulnerability in WebAssembly Micro Runtime (WAMR) LLVM-JIT Mode (≤ v2.4.1) affects watsonx.data

Summary A vulnerability in WebAssembly Micro Runtime WAMR prior to v2.4.2 causes the runtime to hang or crash when executing WebAssembly programs with memory.fill instructions targeting addresses ≥ 2 GiB in LLVM-JIT mode. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-58749...

CVE-2026-27143

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

GHSA-26PP-8WGV-HJVM Hono missing validation of cookie name on write path in setCookie()

Summary Cookie names are not validated on the write path when using setCookie, serialize, or serializeSigned to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent...

Hono missing validation of cookie name on write path in setCookie()

Summary Cookie names are not validated on the write path when using setCookie, serialize, or serializeSigned to generate Set-Cookie headers. While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters. This results in inconsistent...

Google Go 安全漏洞

Google Go is a static, strongly typed, compiled, concurrent programming language with garbage collection features from the American company Google. There is a security vulnerability in Google Go, which stems from the lack of operation interface conversion, allowing the compiler to incorrectly...

OpenClaw License Issue Vulnerability (CNVD-2026-16679)

OpenClaw is a command line tool for rights management. A security vulnerability exists in versions of OpenClaw prior to 2026.3.11 that stems from insufficient authorization checking of subagent control requests, resulting in a leaf child agent being able to access the subagent control plane and...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-006625)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006625 advisory. In the Linux kernel, the following vulnerability has been resolved: clk: Get runtime PM before walking tree during disableunused Doug reported 1 the following hung...

GO-2026-4868 Missing bound checks can lead to memory corruption in safe Go in cmd/compile

Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption...

Thales Sentinel LDK Runtime Stored XSS

RISK EVALUATION Thales Sentinel LDK Runtime on Windows allows Stored Cross-site Scripting. 2. RECOMMENDED PRACTICES Upgrade to version 10.22 or later. 3. DESCRIPTION Thales Sentinel LDK Runtime on Windows allows Stored Cross-site Scripting. Fixed in Sentinel LDK Runtime 10.22. 4. EXTRA INFO...