Malicious code in roboat-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 206186397510c57a9f8cb5e6ca8bdf9d5e1349b99e73f8d06da13e687924feea This package is a malicious clone of a legitimate Roblox API wrapper. The new versions are published simultaneously with publishing malicious dependencies and...

PT-2026-32035

Name of the Vulnerable Software and Affected Versions Quarkus OpenAPI Generator versions prior to 2.16.0 and 2.15.0-lts Description The unzip method in ApicurioCodegenWrapper.java does not validate that the file path of extracted ZIP entries remains within the intended output directory. The...

CVE-2026-4406

The CVE concerns Gravity Forms for WordPress (≤ 2.9.30) with a Reflected XSS in the gform_get_config AJAX action via the form_ids parameter. The root cause is that GFCommon::send_json() returns JSON wrapped in HTML comments using echo/wp_die(), sending a text/html header instead of application/js...

GHSA-WPC6-37G7-8Q4W OpenClaw: Shell init-file options could satisfy exec allowlist script matching

Summary Before OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as --rcfile, --init-file, and --startup-file could therefore inherit allowlist trust from a matched script path even...

GHSA-57CW-J6VP-2P9M OpenEXR has use after free in PyObject_StealAttrString

Summary There is a use-after-free in PyObjectStealAttrString of pyOpenEXRold.cpp. This bug was found with ZeroPath. Details The legacy adapter defines PyObjectStealAttrString that calls PyObjectGetAttrString to obtain a new reference, immediately decrefs it, and returns the pointer. Callers then...

EUVD-2025-50827

OpenEXR has buffer overflow in PyOpenEXRold's channels and channel...

EUVD-2019-20103

phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Attackers can upload a crafted zip file containing serialized PHP objects that execute arbitrary code when...

CVE-2019-25685

phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Attackers can upload a crafted zip file containing serialized PHP objects that execute arbitrary code when...

[SECURITY] Fedora 43 Update: rust-sccache-0.14.0-2.fc43

Sccache is a ccache-like tool. It is used as a compiler wrapper and avoids compilation when possible. Sccache has the capability to utilize caching in remote storage environments, including various cloud storage options, or alternatively, in local storage...

PT-2026-30493

phpBB contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by exploiting the plupload functionality and phar:// stream wrapper. Attackers can upload a crafted zip file containing serialized PHP objects that execute arbitrary code when...

curl: Internal application wrapper or script using curl

While -guid is not a standard or documented curl command, a Command Injection or Argument Injection vulnerability within a specific application that wraps curl. Security Analysis: curl -guid -url example.com 1. Status of the "-guid" FlagUndocumented/Non-existent: The official curl binary does not...

[SECURITY] Fedora 42 Update: rust-sccache-0.12.0-4.fc42

Sccache is a ccache-like tool. It is used as a compiler wrapper and avoids compilation when possible. Sccache has the capability to utilize caching in remote storage environments, including various cloud storage options, or alternatively, in local storage...

OpenClaw gateway exec allow-always over-trusts positional carrier executables

Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval...

GHSA-P4X4-2R7F-WJXG OpenClaw gateway exec allow-always over-trusts positional carrier executables

Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval...

GHSA-6PFC-6M7W-M8FX OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper

Summary Allow-always persistence did not unwrap /usr/bin/script and similar wrappers to the actual executed target before storing trust decisions. Impact A user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program. Affected...

OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper

Summary Allow-always persistence did not unwrap /usr/bin/script and similar wrappers to the actual executed target before storing trust decisions. Impact A user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program. Affected...

Covert Timing Channel

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Covert Timing Channel via the dispatch-wrapper-resolution.ts and exec-wrapper-resolution.ts processes. An attacker can gain unauthorized code execution by bypassing the intended allowlist...

Interpretation Conflict

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Interpretation Conflict in the system.run approval process. An attacker can execute unintended local code by crafting wrapper binaries and inducing operators to approve misleading command...

Duplicate Advisory: OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rw39-5899-8mxp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that display...

EUVD-2026-17379

OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve...