OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade

Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns...

CVE-2026-5831 Agions taskflow-ai terminal_execute handlers.ts os command injection

A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminalexecute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading ...

PT-2026-31707

Name of the Vulnerable Software and Affected Versions FoundationAgents MetaGPT versions up to 0.8.1 Description A flaw exists in the Terminal.run command function within the metagpt/tools/libs/terminal.py library. This allows for os command injection, potentially enabling remote exploitation. The...

CVE-2026-5808

A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/dashboard/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in...

Juniper Junos OS Vulnerability (JSA107863)

The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA107863 advisory. - A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to...

PT-2026-34331

Name of the Vulnerable Software and Affected Versions PackageKit versions 1.0.2 through 1.3.4 Description PackageKit is a D-Bus abstraction layer used to manage packages across different distributions and architectures. A time-of-check time-of-use TOCTOU race condition exists in the handling of...

RHSA-2026:6618 Red Hat Security Advisory: gnutls security update

Bulletin has no description...

ROOT-OS-DEBIAN-12-CVE-2024-37407 CVE-2024-37407 in rootio-libarchive - Patched by Root

Root has patched CVE-2024-37407 in the rootio-libarchive package for Root:Debian:12. Multiple fixed versions available...

BIT-DISCOURSE-2026-33073 discourse-subscriptions plugin leaking stripe API key in multisite environment

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across...

SUSE CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

CVE-2026-33405

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a...

BIT-PARSE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The...

BIT-PARSE-2026-34215 Parse Server: Auth data exposed via verify password endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who...

Security update for avahi

This update for avahi fixes the following issue: CVE-2026-24401: avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record bsc1257235. Patch Instructions: To install this SUSE update use the SUSE recommended installation metho...

EUVD-2026-19176

A security flaw has been discovered in ProjectSend r2002. This vulnerability affects unknown code of the file upload.php. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks...

Android XR Bulletin—April 2026Stay organized with collectionsSave and categorize content based on your preferences.

The XR Security Bulletin contains details of security vulnerabilities affecting the XR platform. The full XR update comprises the security patch level of 2026-04-05 or later from the April 2026 Android Security Bulletin in addition to all issues in this bulletin. We encourage all customers to...

Wear OS Security Bulletin—April 2026Stay organized with collectionsSave and categorize content based on your preferences.

The Wear OS Security Bulletin contains details of security vulnerabilities affecting the Wear OS platform. The full Wear OS update comprises the security patch level of 2026-04-05 or later from the April 2026 Android Security Bulletin in addition to all issues in this bulletin. We encourage all...

Android Automotive OS Update Bulletin—April 2026Stay organized with collectionsSave and categorize content based on your preferences.

The Android Automotive OS AAOS Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2026-04-05 or later from the April 2026 Android Security Bulletin in addition to all issues in this...

CVE-2026-27834

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...

CVE-2026-34780

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...