CVE-2026-35665

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending...

EUVD-2026-21476

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending...

CVE-2026-35665

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending...

CVE-2026-35665 OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending...

CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue...

CVE-2026-31827

Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. When User B submits a paste with a short TTL e.g., 30 seconds, the TTL index is...

CVE-2026-21725

A time-of-create-to-time-of-use TOCTOU vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion...

CVE-2026-21725

A time-of-create-to-time-of-use TOCTOU vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion...

UBUNTU-CVE-2026-21725

A time-of-create-to-time-of-use TOCTOU vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion...

CVE-2026-21725

A time-of-create-to-time-of-use TOCTOU vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion...

CVE-2026-21725

A time-of-create-to-time-of-use TOCTOU vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion...

CVE-2026-21725

CVE-2026-21725 describes a TOCTOU issue in Grafana data sources where a recently deleted-then-recreated datasource can be re-deleted by an attacker. Conditions include admin access before first deletion, a 30-second window on the same pod, the attacker deleting the datasource, a recreate by anoth...

PT-2026-22038

Name of the Vulnerable Software and Affected Versions TinyWeb versions prior to 2.02 Description TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. The server creates a new operating system thread for each incoming connection without enforcing a maximum concurrency limit or an...

Linux Distros Unpatched Vulnerability : CVE-2022-28204

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A denial-of-service issue was discovered in MediaWiki 1.37.x before 1.37.2. Rendering of...

DRUPAL-CONTRIB-2025-063

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent the same TFA token within a 30 second window. This vulnerability is mitigated by the fact that an attacker must obtain a valid...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability exists in Mattermost version 9.11.2 and prior versions 9.11.x and version 9.5.10 and prior versions 9.5.x. The vulnerability stems from a failure to protect the MFA code from...

PT-2024-22620 · Levelone · Levelone Wbr-6012

Name of the Vulnerable Software and Affected Versions: LevelOne WBR-6012 affected versions not specified Description: A security issue exists due to hard-coded credentials in the web services of the affected device. This allows attackers to gain unauthorized access within the first 30 seconds aft...

GHSA-XMMM-JW76-Q7VG Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds default. Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passco...

多款Goverlan产品安全漏洞

Goverlan Reach Console is a software-based, self-hosted IT remote support solution. Goverlan Reach Server is the central organization for all Goverlan services. Goverlan Reach Server is the central organization for all Goverlan services. Goverlan Client Agent is a secure, low footprint,...

Grafana fine-grained access control API Key privilege escalation

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructe...