CVE-2026-22707 Strapi Upload Plugin MIME Validation Bypass via Content API

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...

CVE-2026-22707

In Strapi, prior to 5.33.3, the Upload plugin’s Content API endpoints did not enforce the administrator-configured MIME restrictions, allowing an authenticated Content API user to upload disallowed file types (e.g., HTML, SVG). The Content API handlers bypassed magic-byte MIME checks and allow/de...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities were caused by an issue with environment variable overrides in the host execution policy, which could allow attacker...

CVE-2026-41330 OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy

OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification,...

CVE-2026-41330 OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy

OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification,...

ClawLess: A Security Model of AI Agents

Autonomous AI agents powered by Large Language Models can reason, plan, and execute complex tasks, but their ability to autonomously retrieve information and run code introduces significant security risks. Existing approaches attempt to regulate agent behavior through training or prompting, which...

CVE-2025-36102

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security...

EUVD-2024-54814

Malicious code in bioql PyPI...

IBM Aspera Faspex 安全漏洞

IBM Aspera Faspex is a centralized file transfer solution designed to enable file exchange between users through an email-like workflow. An unauthorized access vulnerability exists in IBM Aspera Faspex. The vulnerability is due to client-side enforcement of server-side security mechanisms and can...

The Overlooked Attack Surface: Securing Code Repositories, Pipelines, and Developer Infrastructure

Learn how Wiz for ASPM extends security to developer infrastructure by continuously enforcing secure defaults and detecting threats across the software supply chain...

Security Bulletin: A vulnerability in IBM Robotic Process Automation may result in privilege escalation (CVE-2024-49824).

Summary IBM Robotic Process Automation could allow an authenticated user to perform unauthorized actions as a privileged user due to improper validation of client-side security enforcement. This bulletin identifies the fixes required to address the vulnerability. Vulnerability Details...

CVE-2024-42340

CVE-2024-42340 corresponds to a CyberArk Identity Management issue: client-side enforcement of server-side security. The connected PT-2024-5772 document describes a vulnerability where a remote, unauthenticated attacker can bypass security controls to elevate privileges due to client-side enforce...

CVE-2024-31491

A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6 allows attacker to execute unauthorized code or commands via HTTP requests...

SUSE-SU-2023:3342-1 Security update for postgresql15

This update for postgresql15 fixes the following issues: - Update to 15.4 - CVE-2023-39417: Fixed potential SQL injection for trusted extensions. bsc1214059 - CVE-2023-39418: Fix MERGE to enforce row security. bsc1214061...

SUSE CVE-2017-8450

X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information...

GHSA-X45C-CVP8-Q4FM Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace

Capsule implements a multi-tenant and policy-based environment in a Kubernetes cluster. A ServiceAccount deployed in a Tenant Namespace, when granted with PATCH capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operato...

CVE-2022-46167

Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with PATCH capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule...

Windows‌ ‌Exploitation‌ ‌Tricks:‌ ‌Spoofing‌ ‌Named‌ ‌Pipe‌ ‌Client‌ ‌PID‌

Posted by James Forshaw, Project Zero While researching the Access Mode Mismatch in IO Manager bug class I came across an interesting feature in named pipes which allows a server to query the connected clients PID. This feature was introduced in Vista and is exposed to servers through the...

Android - getpidcon Permission Bypass in KeyStore Service Vulnerability

Exploit for Android platform in category dos / poc The keystore binder service "android.security.IKeystoreService" allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to many SELinux...

KLA10732 Security bypass vulnerability in Mozilla Firefox and Firefox ESR

Lack of security enforcement was found in Mozilla Firefox. By exploiting this vulnerability malicious users can conduct man-in-the-middle attack. This vulnerability can be exploited remotely via a collision-based attacks. Technical details This vulnerability caused by not rejecting MD5 signatures...