EUVD-2026-36617

OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval...

CVE-2026-53829 OpenClaw < 2026.5.18 - Command Truncation in Exec Approval Display

OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval...

CVE-2026-53829 OpenClaw < 2026.5.18 - Command Truncation in Exec Approval Display

OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval...

PT-2026-49033

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.18 Description An approval display truncation issue allows authenticated users to hide command suffixes from approvers. This enables attackers to submit oversized exec commands that feature benign prefixes and...

Vim < 9.2.0383 OS Command Injection in netrw (GHSA-85ch-p2qr-m5gx)

The version of Vim installed on the remote host is prior to 9.2.0383. It is, therefore, affected by a vulnerability as referenced in the GHSA-85ch-p2qr-m5gx advisory. - An OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. The suffix extraction logic in...

CLSA-2026-1779436673 vim: Fix of CVE-2026-42307

CVE-2026-42307: fix shell-injection in netrw via crafted sftp:// and file:// URLs by escaping the tempfile name and restricting the filename-suffix regex to word characters runtime/autoload/netrw.vim, upstream patch 9.2.0383...

CVE-2026-36762

An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations...

Astra Linux – Vulnerability in glibc

The iconv program in the GNU C Library also known as glibc or libc6 version 2.31 and earlier, when invoked with multiple suffixes in the destination encoding TRANSLATE or IGNORE along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, resulting in a...

CVE-2026-36760

An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled...

PT-2026-36131

Name of the Vulnerable Software and Affected Versions JeeSite version 5.15.1 Description An issue in the '/a/file/upload' endpoint allows authenticated attackers with file upload permissions to perform path traversal and write arbitrary files with whitelisted suffixes to any location on the...

CVE-2026-36762

An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations...

CVE-2026-36762

An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the router process. An attacker can retrieve sensitive information from internal network resources by crafting requests that leverage specific file suffixes and HTTP 302 redirects to bypass...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the router process. An attacker can retrieve sensitive information from internal network resources by crafting requests that leverage specific file suffixes and HTTP 302 redirects to bypass...

TrapSuffix: Proactive Defense against Adversarial Suffixes in Jailbreaking

Suffix-based jailbreak attacks append an adversarial suffix, i.e., a short token sequence, to steer aligned LLMs into unsafe outputs. Since suffixes are free-form text, they admit endlessly many surface forms, making jailbreak mitigation difficult. Most existing defenses depend on passive detecti...

Unity Linux 20.1070e Security Update: libarchive (UTSA-2025-993342)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993342 advisory. A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names...

EUVD-2022-0899

Malicious code in bioql PyPI...

EUVD-2024-21484

Malicious code in bioql PyPI...

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

...

Medium: libarchive

Issue Overview: A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leadi...