CVE-2026-27522

OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user...

CVE-2026-27524

OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject proto, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictio...

CVE-2026-22177

OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODEOPTIONS or LD through configuration to execute arbitrary code in the OpenClaw gateway service...

CVE-2026-27524

OpenClaw OpenClaw is affected by a prototype-pollution vulnerability in the runtime /debug override path. Affected versions are prior to 2026.2.21, where an authorized /debug set could inject prototype-reserved keys (proto , constructor, prototype) to manipulate object prototypes and bypass comma...

PT-2026-26201

Name of the Vulnerable Software and Affected Versions dynaconf versions prior to 3.2.13 Description dynaconf is susceptible to Server-Side Template Injection SSTI due to insecure template evaluation within the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template...

The New Era of Application Security: Reasoning-Based Agents, Runtime Reality, and Risk Intelligence

Key Takeaways AI reasoning systems improve vulnerability detection in source code, but do not address the full spectrum of application security risk. Modern application security must account for APIs, runtime environments, and externally exposed assets beyond the source repository. Continuous...

Security Bulletin: OpenPages is vulnerable to IIBM Semeru Runtime Quarterly CPU - Jan 2026 - Includes OpenJDK January 2026 CPU plus one CVE

Summary IBM Semeru Runtime Quarterly CPU - Jan 2026 - Includes OpenJDK January 2026 CPU plus one CVE. CVE-2026-21945, CVE-2026-21932, CVE-2026-21933, CVE-2026-21925, CVE-2026-1188 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Uncaught Exception

Overview github.com/buger/jsonparser is an Alternative JSON parser for Go. Affected versions of this package are vulnerable to Uncaught Exception via the Delete function when processing malformed JSON input. An attacker can cause a runtime panic and disrupt service availability by submitting...

SUSE CVE-2026-23941

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in Erlang OTP inets httpd module allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/httpserver/httpdrequest.erl and program routines httpdrequest:parseheaders/7. The...

CVE-2026-32635

A Cross-Site Scripting XSS vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute for example href on an anchor tag together with Angular's ability to internationalize attributes. Enabling internationalization for...

CVE-2026-32635

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting XSS vulnerability has been identified in the Angular runtime and compiler. It occurs whe...

UBUNTU-CVE-2026-32635

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting XSS vulnerability has been identified in the Angular runtime and compiler. It occurs whe...

CVE-2025-52458 arkcompiler_ets_runtime has an out-of-bounds write vulnerability

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios...

CVE-2025-52458 arkcompiler_ets_runtime has an out-of-bounds write vulnerability

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios...

CVE-2025-41432 arkcompiler_ets_runtime has an out-of-bounds write vulnerability

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios...

CVE-2025-41432

CVE-2025-41432 is an out-of-bounds write vulnerability affecting OpenHarmony up to v5.1.0. The issue is present in arkcompiler_ets_runtime and allows a local attacker to execute arbitrary code within pre-installed apps. The impact is described as high for confidentiality, integrity, and availabil...

CVE-2025-41432 arkcompiler_ets_runtime has an out-of-bounds write vulnerability

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios...

CVE-2025-25277 arkcompiler_ets_runtime has a type confusion vulnerability

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through using incompatible type. This vulnerability can be exploited only in restricted scenarios...

CVE-2025-25277 arkcompiler_ets_runtime has a type confusion vulnerability

in OpenHarmony v5.1.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through using incompatible type. This vulnerability can be exploited only in restricted scenarios...

CVE-2025-25277

OpenHarmony CVE-2025-25277 describes a local code execution vulnerability in OpenHarmony v5.1.0 and earlier, caused by a type confusion in arkcompiler_ets_runtime that can be triggered by using an incompatible type in pre-installed apps. Affected components are not enumerated beyond the arkcompil...