CVE-2026-29788 TSPortal: Anyone can forge self-deletion requests of any user

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 30, conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. This issue has been...

OpenSift 安全漏洞

OpenSift is an open-source artificial intelligence learning assistant developed by OpenSift. Versions of OpenSift prior to 1.6.3-alpha contained security vulnerabilities. These vulnerabilities stemmed from certain endpoints returning raw error strings to the client, and the login token material w...

CVE-2026-28470

OpenClaw versions prior to 2026.2.2 contain an exec approvals must be enabled allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $ or backticks inside...

CVE-2026-28470

OpenClaw versions prior to 2026.2.2 contain an exec approvals must be enabled allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $ or backticks inside...

Use of GET Request Method With Sensitive Query Strings

Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the c.IsTokenAuth checks in API routes. An attacker can obtain sensitive access tokens by inspecting URL parameters in logs, browser history, or referrer headers. Remediation...

CVE-2026-3598 RustDesk Server Generates Config Strings Using Reversible Encoding (Base64 + Reverse) Instead of Encryption

Use of a Broken or Risky Cryptographic Algorithm vulnerability in rustdesk-server-pro RustDesk Server Pro rustdesk-server-pro on Windows, MacOS, Linux Config string generation, web console export modules allows Retrieve Embedded Sensitive Data. This vulnerability is associated with program routin...

CVE-2026-20031

A vulnerability in the HTML Cascading Style Sheets CSS module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to improper error handling when splitting UTF-8 strings. An attacker could exploit th...

CLSA-2026-1772124479 golang: Fix of 7 CVEs

Update to Go 1.25.7 - CVE-2025-61726: fixed DoS due to memory exhaustion flaw in net/url parameter parsing - CVE-2025-61732: fixed RCE via code smuggling flaw in cgo comment parsing - CVE-2025-68121: fixed security bypass in TLS where session resumption could ignore revoked or expired client...

CVE-2026-28338

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains...

CVE-2026-2597

Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function randombytes. The function does not validate that the length parameter is non-negative. If a negative value e.g. -1 is supplied, the expression length + 1u causes an integer wraparound,...

CLSA-2026-1771855894 python-virtualenv: Fix of CVE-2024-53899

CVE-2024-53899: Quote template strings in activation scripts...

CLSA-2026-1772039226 golang: Fix of 2 CVEs

CVE-2025-61726: limit parsed URL query parameters to mitigate excessive memory consumption during form parsing - CVE-2025-61732: prevent cgo code smuggling by removing user-controlled content from documentation strings in generated ASTs...

CLSA-2026-1771857466 Fix CVE(s): CVE-2025-14087

SECURITY UPDATE: Buffer underflow / integer overflow in GVariant text format parser - debian/patches/CVE-2025-14087.patch: fix potential integer overflow parsing strings, bytestrings, and child element counts in gvariant-parser.c - CVE-2025-14087...

CLSA-2026-1771855453 python-virtualenv: Fix of CVE-2024-53899

CVE-2024-53899: Quote template strings in activation scripts...

CLSA-2026-1771854684 glib2: Fix of CVE-2025-14087

CVE-2025-14087: fix integer overflow when parsing bytestrings...

SSTI-to-RCE-Python-Eval-Bypass

SSTI-to-RCE-Python-Eval-Bypass A Proof-of-Concept PoC exp...

CVE-2026-26996

CVE-2026-26996 affects minimatch, a glob-to-RegExp utility. Versions 10.2.0 and earlier are vulnerable to a Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal not present in the test string. Each * creates a separate [^/]*?...

CLSA-2026-1771412927 glib2: Fix of CVE-2025-14087

CVE-2025-14087: fix integer overflow when parsing bytestrings...

CLSA-2026-1771412328 glib2: Fix of CVE-2025-14087

CVE-2025-14087: fix integer overflow when parsing bytestrings...

PT-2026-23545

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.2 Description The software contains a flaw in its exec approvals allowlist, which can be bypassed when command substitution syntax is used. Specifically, attackers can execute arbitrary commands by injecting...