930 matches found
CVE-2026-57522
Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...
EUVD-2026-39543
Bitwarden Server before 2026.5.0 contains a JSON injection vulnerability in IntegrationTemplateProcessor.ReplaceTokens, which substitutes user-controlled values into event-integration templates without JSON encoding. When an organization has configured an event integration whose template referenc...
PT-2026-52576
Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.5.0 Description An issue exists in the IntegrationTemplateProcessor.ReplaceTokens function where user-controlled values are substituted into event-integration templates without proper JSON encoding. An...
CVE-2026-46548
NocoDB (CVE-2026-46548 ) exhibits an SSRF protection bypass in the notification webhook plugins for Slack, Discord, Mattermost, and Teams. Root cause: in the affected code paths, the httpAgent/httpsAgent were incorrectly placed in the request body of axios.post instead of the config argument, all...
CVE-2026-53851
OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading ...
CVE-2026-53851
CVE-2026-53851 affects OpenClaw prior to version 2026.5.12. A notification bypass allows Slack reaction events to be processed by the agent pipeline even when reaction notifications are disabled. An attacker can trigger unintended agent processing by sending reaction events while the feature is e...
PT-2026-49768
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description A notification bypass allows Slack reaction events to enter the agent pipeline even when reaction notifications are disabled. This can trigger unintended agent processing for reaction events,...
MAL-2026-5815 Malicious code in kinto-slack (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 0e0434bc9a31ed977738596bc7326ddbc16d225b80d4e219865cb6ec39ff2d78 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
Malicious code in kinto-slack (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 0e0434bc9a31ed977738596bc7326ddbc16d225b80d4e219865cb6ec39ff2d78 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
EUVD-2026-36618
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
EUVD-2026-36611
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...
CVE-2026-53830
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
CVE-2026-53823
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...
CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation,...
CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...
CVE-2026-53823 OpenClaw < 2026.5.3 - Privilege Escalation via Mutable Slack Display Names in allowFrom
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other...
CVE-2026-53823
OpenClaw is affected by a privilege-escalation vulnerability in the allowFrom feature, where binding to mutable Slack display names enables an attacker with Slack account access to alter display name metadata to match policy entries and gain unauthorized agent access intended for other identities...
PT-2026-49034
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.22 Description A webhook secret revocation bypass allows callers using outdated Slack and Zalo webhook secrets to remain active after the secrets.reload function is executed. This creates a stale-secret window...
PT-2026-49027
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.3 Description A privilege escalation issue exists in the allowFrom feature, which binds to mutable Slack display names. Attackers with access to a Slack account can modify display name metadata to match policy...