CVE-2026-53841

OpenClaw prior to version 2026.5.12 exposes a stored cross-site scripting risk in exported session HTML. The vulnerability arises because the exported content preserves unsafe javascript: and data: links, enabling browser-side scripts when a trusted operator opens the exported file and activates ...

EUVD-2026-37126

Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validateexp = false in the verifydecode helper within the stdlib JWT verification path. Attackers in possession of a previously issued...

CVE-2026-9507

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier OSTSESSID active after a successful login. The issue lies in the fact that the application does not invalidate the...

Security Bulletin: IBM MQ Appliance is affected by multiple open source vulnerabilities (CVE-2026-23193, CVE-2026-23231, CVE-2026-3497)

Summary IBM MQ Appliance has addressed multiple open source vulnerabilities. Vulnerability Details CVEID:CVE-2026-3497 DESCRIPTION: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions...

CVE-2026-9507

CVE-2026-9507 affects osTicket v1.18.2. A session fixation flaw arises because the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context (OSTSESSID). As a result, an attacker could set a known session ID in the victim’s browser an...

EUVD-2026-37079

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier OSTSESSID active after a successful login. The issue lies in the fact that the application does not invalidate the...

CVE-2026-9507 Session fixation vulnerability in Enhancesoft's osTicket

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier OSTSESSID active after a successful login. The issue lies in the fact that the application does not invalidate the...

EUVD-2026-37047

Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic = 1.1.4 versions...

Western Digital MyCloud NAS - Authentication Bypass

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the...

Apache OFBiz 17.12.03 - Cross-Site Scripting

Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request. id: CVE-2020-9496 info: name: Apache OFBiz 17.12.03 - Cross-Site Scripting author: dwisiswant0 severity: medium description: Apache OFBiz 17.12.03 contains cross-site scripting a...

Dolibarr <7.0.2 - Cross-Site Scripting

Dolibarr before 7.0.2 is vulnerable to cross-site scripting and allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php. id: CVE-2018-10095 info: name: Dolibarr 7.0.2 - Cross-Site Scripting author: pikpikcu severity: medium...

Zoho manageengine - Cross-Site Scripting

Zoho manageengine is vulnerable to reflected cross-site scripting. This impacts Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 via the...

Citrix Bleed - Leaking Session Tokens

Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway VPN virtual server, ICA Proxy, CVPN, RDP Proxy or AAA ?virtual?server. id: CVE-2023-4966 info: name: Citrix Bleed - Leaking Session Tokens author: DhiyaneshDK severity: high description: | Sensiti...

PT-2026-49812

Name of the Vulnerable Software and Affected Versions Google Android affected versions not specified Description A memory corruption issue in the Modem component can be triggered during a SIP REFER request. This flaw allows for remote code execution without requiring additional execution privileg...

PT-2026-49760

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.26 Description An authorization bypass exists where a surviving pairing-scoped device session can re-establish node token authority after the token has been revoked. This allows a previously paired device to...

PT-2026-49758

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description Exported session HTML preserves unsafe javascript: and data: links in generated content. This allows for the execution of browser-side scripts if a trusted operator opens the exported file and...

PT-2026-49761

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.29 Description A session visibility check bypass exists in the shared memory search of the memory-wiki feature. This allows authenticated callers to skip session visibility guards on the search path, enabling...

PT-2026-50077

Adobe Acrobat PDF Extension Chrome versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in tha...

PT-2026-49818

Name of the Vulnerable Software and Affected Versions Google Android affected versions not specified Description An integer overflow in the numberOfReportBlocks of RtpSession.cpp can lead to an out-of-bounds write. This issue allows for remote escalation of privilege without requiring user...

GHSA-G8MR-85JM-7XHM Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE

Summary Vitest Browser Mode exposes a cdp API that forwards raw Chrome DevTools Protocol CDP methods over the Vitest browser WebSocket RPC. CDP is not gated by browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or api.allowExec. As a result, disabling Browser Mode write and exec...