CVE-2026-12093

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...

CVE-2014-125112

A vulnerability was identified in Plack::Middleware::Session::Cookie when session data is deserialized from cookies using Storable::thaw. If the secret parameter is not configured or is compromised, an attacker can craft a malicious session cookie containing serialized objects. Because...

EUVD-2014-9820

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when...

CVE-2014-125112 Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution

Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when...

CVE-2026-26316

OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback 127.0.0.1, ::1, ::ffff:127.0.0.1 even when the configured webhook secret was missing or...

CVE-2026-25474 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by ...

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/feishu is an OpenClaw Feishu/Lark channel plugin community maintained by @m1heng Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured...

Authentication Bypass Using an Alternate Path or Channel

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Telegram webhook endpoint when webhook mode is enabled without a configured secret. An attacker can...

GHSA-MP5H-M6QJ-6292 OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass

Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...

PT-2026-7185

Name of the Vulnerable Software and Affected Versions FUXA versions through 1.2.9 Description FUXA is a web-based Process Visualization software. An insecure default configuration allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. Th...

CVE-2025-8625 Copypress Rest API 1.1 - 1.2 - Missing Configurable JWT Secret and File-Type Validation to Unauthenticated Remote Code Execution

The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreaphandleimage Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched and saved as attachment...

CVE-2025-8570 BeyondCart Connector <= 2.1.0 - Missing Configuration of JWT Secret to Unauthenticated Privilege Escalation via determine_current_user Filter

The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determinecurrentuser filter in versions 1.4.2 through 2.1.0. This makes it possible for unauthenticated attackers to craft valid tokens and assume...

libreswan: Missing PreSharedKey for connection can cause crash

A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys authby=secret, and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword,...

libreswan: Missing PreSharedKey for connection can cause crash

A flaw was found in Libreswan. This issue causes Libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys authby=secret, and the connection cannot find a matching configured secret. When automatically added on startup using the auto= keyword,...