CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

CVE-2026-44444

Lumiverse before 0.9.7: the Spindle extension build pipeline runs bun install without --ignore-scripts prior to the static backend safety scan (assertSafeBackendBundle). A malicious extension containing a package.json with preinstall, postinstall, or prepare lifecycle scripts can achieve host‑lev...

CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

CVE-2026-41377

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings...

CVE-2026-41377

OpenClaw OpenClaw before 2026.3.31 has a fail-open vulnerability in the plugin installation flow: security scan failures do not block installation, allowing the possibility to install untrusted plugins when operators proceed after visible scan warnings. Affected product: openclaw (npm). Vulnerabl...

CVE-2026-41377

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings...

CVE-2026-41377 OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings...

CVE-2026-41377 OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings...

Improper Check for Unusual or Exceptional Conditions

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to the plugin installation process. An attacker can bypass intended security restrictions by exploiting a failure in the security...

OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)

Summary Security Scan Failure Does Not Block Plugin Installation Fail-Open Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an...

EUVD-2017-13014

Malware in sbrugna...

EUVD-2016-8856

Malware in sbrugna...

EUVD-2016-8874

Malware in sbrugna...

EUVD-2015-8845

Malware in sbrugna...

EUVD-2022-39679

Malicious code in bioql PyPI...

GHSA-8PJC-487G-W6P2 vulnerabilities

Vulnerabilities for packages: chartmuseum, mockgen, witness, dive, ratify, kubernetes-csi-driver-nfs, mattermost, plugin-barman-cloud, portieris, grafana-alloy, src, terraform, kubernetes-csi-external-health-monitor, nri-consul, spire-controller-manager, emissary, nri-nginx, tigera-operator,...

GHSA-J5PM-7495-QMR3 vulnerabilities

Vulnerabilities for packages: apache-beam-python-3.11-sdk, cilium-envoy-fips, flux-helm-controller, logstash, witness, gitlab-kas-fips, neuvector-dbgen, trivy-fips, certificate-transparency-fips, kubernetes-csi-driver-nfs, redka, cluster-api-gcp-controller, terraform, crossplane-provider-gcp,...

Linux Distros Unpatched Vulnerability : CVE-2025-38120

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: netfilter: nfsetpipapoavx2: fix initial map fill If the first field doesn't cover the entire...

Linux Distros Unpatched Vulnerability : CVE-2022-22754

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - If a user installed an extension of a particular type, the extension could have auto-updated itself and while doing so, bypass the prompt which grants the new...

Linux Distros Unpatched Vulnerability : CVE-2024-56706

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: s390/cpumsf: Fix and protect memory allocation of SDBs with mutex Reservation of the PMU...