CVE-2026-39381 Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

CVE-2026-39324

Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie...

PT-2026-30736

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, a stored XSS vulnerability allows an attacker to inject malicious scripts through a backup filename. This could lead to unauthorized execution of malicious code in the victim's browser, compromising session data or executing...

CVE-2026-35537

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

CVE-2026-20155

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager EPNM could allow an authenticated, remote attacker with low privileges to access sensitive information that they are not authorized to access. This vulnerability is due to improper authorization...

GHSA-W2FM-25VW-VH7F mcp-handler has a tool response leak across concurrent client sessions ('Race Condition')

mcp-handler versions prior to 1.1.0 accepted @modelcontextprotocol/sdk =1.26.0, which contains the fix for CVE-2026-25536. Workarounds - Upgrade @modelcontextprotocol/sdk to =1.26.0 note: the SDK will throw on transport reuse, which will break mcp-handler 1.1.0 which effectively forces the upgrad...

mcp-handler has a tool response leak across concurrent client sessions ('Race Condition')

mcp-handler versions prior to 1.1.0 accepted @modelcontextprotocol/sdk =1.26.0, which contains the fix for CVE-2026-25536. Workarounds - Upgrade @modelcontextprotocol/sdk to =1.26.0 note: the SDK will throw on transport reuse, which will break mcp-handler 1.1.0 which effectively forces the upgrad...

CVE-2026-20155 Cisco Evolved Programmable Network Manager Improper Authorization Vulnerability

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager EPNM could allow an authenticated, remote attacker with low privileges to access sensitive information that they are not authorized to access. This vulnerability is due to improper authorization...

CVE-2025-41355

Reflected Cross-Site Scripting XSS vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or ...

CVE-2025-41357 Reflected Cross-Site Scripting on Anon Proxy Server

Reflected Cross-Site Scripting XSS vulnerability in Anon Proxy Server v0.104. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or ...

Amazon Linux 2023 : python3-flask (ALAS2023-2026-1476)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1476 advisory. Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use o...

GHSA-HH43-Q692-2XMQ Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows...

EUVD-2026-16999

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including...

Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows...

CVE-2026-32918

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including...

CVE-2026-32918

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including...

CVE-2026-32918 OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause a sandboxed agent to access the state of a parent or sibling session to read or modify session data outside the scope of the sandb...

PT-2026-28448

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.11 Description The software contains a session sandbox escape issue within the session status tool. This allows sandboxed subagents to access session state belonging to parent or sibling sessions. An attacker...

CVE-2025-13478

Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2v4.10.1...