Lucene search
K

7855 matches found

EUVD
EUVD
added 2026/06/17 2:8 p.m.9 views

EUVD-2026-37722

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 default Supervised security policy can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: 1 isargssafe blocks...

9.6CVSS6.7AI score0.00704EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/17 2:8 p.m.29 views

CVE-2026-55743 OpenHuman desktop agent shell tool sandbox bypass leads to arbitrary command execution

The shell tool command allowlist in the SecurityPolicy of OpenHuman desktop agent through 0.54.0 default Supervised security policy can be bypassed to execute arbitrary OS commands with the privileges of the desktop user. Two flaws in src/openhuman/security/policy.rs combine: 1 isargssafe blocks...

9.6CVSS0.00704EPSS
Exploits0References3
OSV
OSV
added 2026/06/16 10:20 p.m.7 views

MAL-2026-5936 Malicious code in vite-config-field (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e5dabbc9cf746e153391fbe76f4dc54f9bccb9f7fd467d5b80d07c84ab1fb58 [email protected] impersonates the legitimate vite-plugin-pwa package README copies its banner/badges, funding field points at antfu's GitHub...

6.1AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/16 9:32 p.m.8 views

Duplicate Advisory: Host environment sanitizer missed two Node.js control variables

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-ccwh-wwpp-6wg5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that...

8.1CVSS5.2AI score0.00246EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/06/16 7:17 p.m.13 views

CVE-2026-53864

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...

8.1CVSS0.00246EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:5 p.m.30 views

CVE-2026-53864

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer. This allows Node.js control variables to bypass validation when provided via workspace .env files, tool environment overrides, or skill environment blocks, potentially influencing chil...

8.1CVSS5.3AI score0.00246EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/16 6:5 p.m.8 views

CVE-2026-53864 OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...

8.1CVSS5.3AI score0.00246EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/16 6:5 p.m.20 views

CVE-2026-53864 OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...

8.1CVSS0.00246EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/16 5:38 p.m.7 views

rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding

A flaw was found in rsync. An authenticated daemon peer can exploit an integer overflow vulnerability in the compressed-token decoder. By carefully manipulating the compressed-token, a malicious sender can trigger an overflow, leading to remote memory disclosure. This allows an attacker to leak...

8.1CVSS5.4AI score0.0078EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/06/16 5:37 p.m.7 views

rsync: rsync: Remote memory disclosure via integer overflow in compressed-token decoding

A flaw was found in rsync. An authenticated daemon peer can exploit an integer overflow vulnerability in the compressed-token decoder. By carefully manipulating the compressed-token, a malicious sender can trigger an overflow, leading to remote memory disclosure. This allows an attacker to leak...

8.1CVSS5.4AI score0.0078EPSS
Exploits0References4
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.109 views

Juniper J-Web - Remote Code Execution

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain environments variables to execute remote commands id: CVE-2023-36845 info: name: Juniper J-Web - Remote Code...

9.8CVSS7.9AI score0.93546EPSS
Exploits27References5
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.264 views

ShellShock - Remote Code Execution

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the modcgi and modcg...

10CVSS9.1AI score0.99999EPSS
Exploits140References5
OSV
OSV
added 2026/06/16 2:15 a.m.8 views

MAL-2026-5856 Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

5.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 2:14 a.m.9 views

Malicious code in event-metrics-q3x7 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b805c0ac88b45f49b1698fb9ea33e00767380544221d574a0da0e0f526d07f8 On install, package.json runs a postinstall hook node run.js that triggers beacon scripts beacon20.js, beaconlinux.js shipped in the tarball. The...

5.8AI score
Exploits0References10
OSV
OSV
added 2026/06/16 1:34 a.m.3 views

MAL-2026-5858 Malicious code in metrics-pipeline-d8k2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0 Package declares "postinstall": "node run.js" in package.json, causing automatic execution of bundled beacon scripts on npm install. beacon29.js load...

5.8AI score
Exploits0References22
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.15 views

PT-2026-49781

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.26 Description Insufficient sanitization in the host environment sanitizer allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or...

8.1CVSS5.2AI score0.00246EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.11 views

PT-2026-50161

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.4 Description An issue exists where forward auth copy headers deletes client-supplied identity headers before copying trusted values from an authentication gateway. However, when requests are processed via php...

8.1CVSS5.9AI score0.00246EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.9 views

PT-2026-50146

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.7.10 Description In the node:child process implementation on Windows, the escapeShellArg helper function fails to properly quote arguments containing cmd.exe metacharacters such as &, |, , ^, !, , and and does not...

8.1CVSS6.2AI score0.00283EPSS
Exploits1References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 8:11 p.m.10 views

Malicious code in yunxin-overmind-comment (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57551a10d99024d1d12c7f2e349e6557613ed3a5e036bf45d71129d501fbbabc On npm install, the package's scripts.postinstall runs src/postinstall.js, which spawns a detached Node child that collects the installer's hostname,...

5.3AI score
Exploits0References1
OSV
OSV
added 2026/06/15 8:11 p.m.8 views

MAL-2026-5833 Malicious code in yunxin-overmind-comment (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57551a10d99024d1d12c7f2e349e6557613ed3a5e036bf45d71129d501fbbabc On npm install, the package's scripts.postinstall runs src/postinstall.js, which spawns a detached Node child that collects the installer's hostname,...

5.4AI score
Exploits0References1
Rows per page
Query Builder