Lucene search
K

547 matches found

NVD
NVD
added 2026/03/05 10:16 p.m.10 views

CVE-2026-28474

OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...

9.8CVSS0.00489EPSS
Exploits0References3
CVE
CVE
added 2026/03/05 9:59 p.m.21 views

CVE-2026-28474

OpenClaw's Nextcloud Talk plugin (versions prior to 2026.2.6) is affected by a flaw in equality matching on the mutable actor.name display name used for allowlist validation, allowing an attacker to spoof a display name to match an allowlisted user ID and gain unauthorized access to restricted co...

9.8CVSS6AI score0.00489EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/05 9:59 p.m.3 views

CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing

OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...

9.8CVSS5.8AI score0.00489EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/05 9:59 p.m.5 views

CVE-2026-28474

OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...

9.8CVSS6AI score0.00489EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/05 9:59 p.m.42 views

CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing

OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...

9.8CVSS0.00489EPSS
Exploits0References3
OSV
OSV
added 2026/03/05 9:59 p.m.4 views

CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing

OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...

9.3CVSS7.2AI score0.00489EPSS
Exploits0References5
EUVD
EUVD
added 2026/03/05 9:59 p.m.8 views

EUVD-2026-9920

OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and...

9.8CVSS6AI score0.00489EPSS
Exploits0References3
OSV
OSV
added 2026/03/03 11:8 p.m.6 views

GHSA-R9Q5-C7QC-P26W OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

5.3CVSS5.9AI score0.00267EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/03 11:8 p.m.11 views

OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

6.5CVSS5.9AI score0.00267EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/03 12:0 a.m.10 views

PT-2026-26224

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

6.5CVSS5.8AI score0.00267EPSS
Exploits0References9
Snyk
Snyk
added 2026/02/17 9:36 p.m.3 views

User Impersonation

Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to User Impersonation via the actor.name field in webhook payloads. An attacker can gain unauthorized access to direct messages or rooms by spoofing their display name t...

9.8CVSS5.6AI score0.00489EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/17 9:36 p.m.15 views

Nextcloud Talk allowlist bypass via actor.name display name spoofing

Summary In affected versions of the optional Nextcloud Talk plugin installed separately; not bundled with the core OpenClaw install, an untrusted webhook field actor.name, display name could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an...

9.8CVSS5.6AI score0.00489EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/02/17 9:36 p.m.10 views

GHSA-R5H9-VJQC-HQ3R Nextcloud Talk allowlist bypass via actor.name display name spoofing

Summary In affected versions of the optional Nextcloud Talk plugin installed separately; not bundled with the core OpenClaw install, an untrusted webhook field actor.name, display name could be treated as an allowlist identifier. An attacker could change their Nextcloud display name to match an...

9.3CVSS5.7AI score0.00489EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/01/20 12:0 a.m.4 views

PT-2026-23549

Name of the Vulnerable Software and Affected Versions OpenClaw Nextcloud Talk plugin versions prior to 2026.2.6 Description The Nextcloud Talk plugin allows attackers to bypass direct message DM and room allowlists. The plugin incorrectly uses the mutable actor.name field for allowlist validation...

10CVSS5.8AI score0.00489EPSS
Exploits0References18
Tenable Nessus
Tenable Nessus
added 2026/01/16 12:0 a.m.6 views

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-004202)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004202 advisory. An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalkprocexit, related to net/appletalk/atalkproc.c, net/appletalk/ddp.c, and...

10CVSS6.3AI score0.02588EPSS
Exploits1References15
RedhatCVE
RedhatCVE
added 2026/01/09 11:21 a.m.9 views

CVE-2021-22952

A vulnerability found in UniFi Talk application V1.12.3 and earlier permits a malicious actor who has already gained access to a network to subsequently control Talk devices assigned to said network if they are not yet adopted. This vulnerability is fixed in UniFi Talk application V1.12.5 and lat...

8.8CVSS6.8AI score0.0099EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:39 a.m.7 views

CVE-2022-35932

Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is...

5.3CVSS6.9AI score0.0105EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:27 a.m.6 views

CVE-2023-45149

Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the...

4.3CVSS6.9AI score0.0048EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:21 a.m.6 views

CVE-2021-41180

Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in an open-redirect, but required user interaction. This only...

6.1CVSS6.7AI score0.01026EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:38 a.m.5 views

CVE-1999-0251

Denial of service in talk program allows remote attackers to disrupt a user's display...

5CVSS7AI score0.01907EPSS
Exploits0References1
Rows per page
Query Builder