CVE-2026-31865

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...

PT-2026-26065

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...

GHSA-9CCR-FPP6-78QF Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Impact An attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked...

Devise has a confirmable "change email" race condition permits user to confirm email they have no access to

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

GHSA-57HQ-95W6-V4FC Devise has a confirmable "change email" race condition permits user to confirm email they have no access to

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

CVE-2026-32267

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user or an unauthenticated user who has been sent a shared URL can escalate their privileges to admin by abusing...

CVE-2025-69196

FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for...

EUVD-2026-12213

A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function Fxmlexportusers of the file admin/code/tcexmlusers.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are stil...

PT-2026-25851

Name of the Vulnerable Software and Affected Versions Romeo versions prior to 0.2.1 Description Romeo is a tool designed to measure code coverage for Go applications within GitHub Actions. A misconfigured NetworkPolicy allows a malicious actor to move from the "hardened" namespace to any other Po...

freerdp security update

2:2.2.0-5.0.1 - fixed CVE-2026-23530 CVE-2026-23531 CVE-2026-23532 CVE-2026-23533 CVE-2026-23884 Orabug: 38971897...

Confirmable "change email" race condition permits user to confirm email they have no access to

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

CVE-2026-4185

GPAC MP4Box swf_parse.c swf_def_bits_jpeg stack-based overflow in src/scene_manager/swf_parse.c (function swf_def_bits_jpeg) affects GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. Manipulation of szName leads to a stack-based buffer overflow; remote exploit possible. Patch identified as 8961c74f87...

OESA-2026-1600 nodejs-requirejs security update

RequireJS is a JavaScript file and module loader. It is optimized for in-browser use, but it can be used in other JavaScript environments, like Rhino and Node. Using a modular script loader like RequireJS will improve the speed and quality of your code. Security Fixes: jrburke requirejs v2.3.6 wa...

OESA-2026-1560 libssh security update

The ssh library was designed to be used by programmers needing a working SSH implementation by the mean of a library. The complete control of the client is made by the programmer. With libssh, you can remotely execute programs, transfer files, use a secure and transparent tunnel for your remote...

PT-2026-25542

A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F xml export users of the file admin/code/tce xml users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are...

GHSA-G93W-MFHG-P222 Angular vulnerable to XSS in i18n attribute bindings

A Cross-Site Scripting XSS vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute for example href on an anchor tag together with Angular's ability to internationalize attributes. Enabling internationalization for...

GHSA-5M9R-P9G7-679C OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

Summary The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned 401 but did not count against the rate limiter, allowing repeated secret guesses without triggering 429. Impact This made brute-force guessing...

`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

Summary The built-in sessionstatus tool did not enforce the intended session-visibility boundary. A sandboxed subagent could supply another session's sessionKey and inspect or modify state outside its own sandbox scope. Impact This allowed a sandboxed child session to read parent or sibling sessi...

OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories

Summary OpenClaw automatically discovered and loaded plugins from .openclaw/extensions/ inside the current workspace without an explicit trust or install step. A malicious repository could include a crafted workspace plugin that executed as soon as a user ran OpenClaw from that cloned directory...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...