openSUSE 16 Security Update : tomcat (openSUSE-SU-2026:20611-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20611-1 advisory. - CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. - CVE-2026-25854: Occasionally open redirect bsc1261851. -...

PT-2026-34781

OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session status without sandbox constraints to bypass session-policy...

openSUSE 16 Security Update : tomcat11 (openSUSE-SU-2026:20595-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20595-1 advisory. - Update to Tomcat 11.0.21 - CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. - CVE-2026-25854: Occasionally open...

Improper Authentication

Overview org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Authentication in processOCSPRequest, which is part of the the CLIENTCERT authentication process. An attacker can trigger a soft-fail of OCSP checks when...

CrewAI 安全漏洞

CrewAI is an open-source code execution and analysis tool component developed by CrewAI. CrewAI has a security vulnerability that stems from incorrect checking of Docker’s running status and reverting to a sandbox setting, which may lead to remote code execution...

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing th...

Fixed in Apache Tomcat 10.1.53

Moderate: The fix forCVE-2025-66614 was incomplete CVE-2026-32990 The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed. This was fixed with commit 4d0615a5. This issue was reported to the Tomcat security team o...

Fixed in Apache Tomcat 11.0.20

Moderate: The fix forCVE-2025-66614 was incomplete CVE-2026-32990 The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed. This was fixed with commit 021d1f83. This issue was reported to the Tomcat security team o...

PT-2026-20960

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The skills.status function could reveal sensitive information to clients with operator.read access. This occurred because the function returned raw resolved config values within configChecks for...

EUVD-2022-35132

Malicious code in bioql PyPI...

EUVD-2025-29479

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2022-2904

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before...

CVE-2023-47035

RPTC 0x3b08c was discovered to not conduct status checks on the parameter tradingOpen. This vulnerability can allow attackers to conduct unauthorized transfer operations...

DRUPAL-CONTRIB-2025-062

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes. A new requirements check has been added to the status report so other...

GHSA-56P6-QW3C-FQ2G Suspended Directus user can continue to use session token to access API

Summary Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status. Details There is a check missing in verifySessionJWT to verify that a user is actually still active and allowed to...

CVE-2022-2904

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature...

Google Android elevation of privilege vulnerability (CNVD-2024-45228)

Google Android is a Linux-based open source operating system from Google. Google Android suffers from an elevation of privilege vulnerability, which is caused by a lack of checking for FRP status in wifiitemeditcontent in styles.xml. An attacker can exploit this vulnerability to escalate privileg...

Buffer overflow

RPTC 0x3b08c was discovered to not conduct status checks on the parameter tradingOpen. This vulnerability can allow attackers to conduct unauthorized transfer operations...

CVE-2023-47035

RPTC 0x3b08c was discovered to not conduct status checks on the parameter tradingOpen. This vulnerability can allow attackers to conduct unauthorized transfer operations...