CVE-2026-28472

OpenClaw CVE-2026-28472 affects the gateway WebSocket connect handshake. The vulnerability allows bypassing device-identity checks when an auth.token is present but not validated, enabling attackers to connect to the gateway without device identity or pairing and potentially gain operator access ...

CVE-2021-35486

A Cross-Site Request Forgery CSRF vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie...

PT-2026-21966

Name of the Vulnerable Software and Affected Versions Angular SSR versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 Description Angular SSR, a server-side rendering tool for Angular applications, contains a Server-Side Request Forgery SSRF issue in its request handling pipeline. The...

EUVD-2025-208086

The CPSD CryptoPro Secure Disk application boots a small Linux operating system to perform user authentication before using BitLocker to decrypt the Windows partition. The system is located on a separate unencrypted partition which can be reached by anyone with access to the hard disk. Multiple...

Command Injection

Apache Airflow is vulnerable to Command Injection. The vulnerability is due to a non-validated parameter in the exampledagdecorator example DAG, which allows an attacker to redirect execution to a malicious server and execute arbitrary code on a worker when example DAGs are enabled...

TruConfirm: Autonomous, Agent-Led, Safe Exploit Validation for Real-World Risk Reduction

Key Takeaways CISOs still can’t answer the only question that matters: Is this exposure exploitable on this asset, in our production environment, against our controls, right now? The vulnerability firehose broke the old model: With 48,177 CVEs published in 2025, “critical” lists are too large to...

[SECURITY] Fedora 42 Update: rpki-client-9.7-1.fc42

The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure RPKI for Relying Parties RP to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisatio...

[SECURITY] Fedora 43 Update: rpki-client-9.7-1.fc43

The OpenBSD rpki-client is a free, easy-to-use implementation of the Resource Public Key Infrastructure RPKI for Relying Parties RP to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system, downloads and validates Route Origin Authorisatio...

CVE-2021-22969

Concrete CMS formerly concrete5 versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS ex AWS IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading...

Security update for podman

This update for podman fixes the following issues: CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed SSH Agent that could cause a panic due to an out-of-bounds read with non-validated message sizes bsc1253993 Patch Instructions: To install this SUSE update use the SUSE recommended installation...

SUSE-SU-2025:4536-1 Security update for podman

This update for podman fixes the following issues: - CVE-2025-47914: golang.org/x/crypto/ssh/agent: Fixed SSH Agent that could cause a panic due to an out-of-bounds read with non-validated message sizes bsc1253993...

Malicious code in chai-as-validated (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac732b7c822ce779d3d7579dba60aef4d3d11aadbd5ee31db0eab0e240833634 The package chai-as-validated was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-204929

Malicious code in chai-as-validated npm...

MAL-2025-192724 Malicious code in chai-as-validated (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac732b7c822ce779d3d7579dba60aef4d3d11aadbd5ee31db0eab0e240833634 The package chai-as-validated was found to contain malicious code. Source: ghsa-malware...

(0Day) Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convertconfig functio...

EUVD-2025-201134

Malicious code in email-validated npm...

MAL-2025-192292 Malicious code in email-validated (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16af72446800f2251ecdda400ad30c23637f628d1487ae5c911bb4283e3fe10c The package email-validated was found to contain malicious code. Source: ghsa-malware 9f2a0d9794c8d949cc051fe3c306af63ddb55b6848d0607ef1f5d332585a2fc...

Malicious code in email-validated (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16af72446800f2251ecdda400ad30c23637f628d1487ae5c911bb4283e3fe10c The package email-validated was found to contain malicious code. Source: ghsa-malware 9f2a0d9794c8d949cc051fe3c306af63ddb55b6848d0607ef1f5d332585a2fc...

Malicious Package

Overview email-validated is a malicious package. This package contains malicious code associated with a social engineering campaign called "Contagious Interview." The attackers target developers through fake job interviews or coding test assignments that require the installation of this package...

SmartPoC: Generating Executable and Validated PoCs for Smart Contract Bug Reports

Smart contracts are prone to vulnerabilities and are analyzed by experts as well as automated systems, such as static analysis and AI-assisted solutions. However, audit artifacts are heterogeneous and often lack reproducible, executable PoC tests suitable for automated validation, leading to...