GHSA-X2FF-J5C2-GGPR OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows

Impact In shared Slack workspace deployments that rely on sender restrictions allowFrom, DM policy, or channel user allowlists, some interactive callbacks blockaction, viewsubmission, viewclosed could be accepted before full sender authorization checks. In that scenario, an unauthorized workspace...

PT-2026-26387

Impact In shared Slack workspace deployments that rely on sender restrictions allowFrom, DM policy, or channel user allowlists, some interactive callbacks block action, view submission, view closed could be accepted before full sender authorization checks. In that scenario, an unauthorized...

CVE-2022-1545

It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note...

Denial of service

Mattermost fails to check the "inviteguest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server...

Gitlab -- vulnerabilities

Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project Group import allows impersonation of users in CI pipelines Developers can bypass code owners approval by changing a MR's base branch Leaking source code of restricted...

GitLab 14.3 < 14.9.5 / 14.10.0 < 14.10.4 / 15.0.0 < 15.0.1 (CVE-2022-1783)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It...

Plone unauthorized member addition vulnerability

Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator...

Cross-site Request Forgery (CSRF)

showdoc/showdoc is vulnerable to cross-site request forgery. The vulnerability exists through the register function in UserController.class.php, allowing an attacker to add any member to the team...