Lucene search
K
GithubRecent

33187 matches found

Github Security Blog
Github Security Blog
added 2026/03/26 9:34 p.m.9 views

OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens

Summary Nextcloud Talk room authorization matched on collidable room names instead of the stable room token, allowing policy confusion across similarly named rooms. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

5.4CVSS5.8AI score0.00241EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:31 p.m.10 views

Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. A patched version is available at...

5.4CVSS5.7AI score0.00238EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:31 p.m.5 views

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

A flaw was found in Keycloak. The User-Managed Access UMA 2.0 Protection API endpoint for permission tickets fails to enforce the umaprotection role check. This allows any authenticated user with a token issued for a resource server client, even without the umaprotection role, to enumerate all...

4.3CVSS5.8AI score0.00319EPSS
Exploits0References8Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/26 9:31 p.m.4 views

Keycloak: manage-clients permission escalates to full realm admin access

A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within...

7.2CVSS5.8AI score0.00471EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:30 p.m.7 views

OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation

Summary Tlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

6.5CVSS5.8AI score0.00278EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:27 p.m.26 views

OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete

Summary Tlon cite expansion happened before channel and DM authorization completed, allowing cite work and content handling before the final auth decision. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

7.3CVSS5.8AI score0.00247EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:24 p.m.6 views

OpenClaw's mutating internal ACP chat commands missed operator.admin scope enforcement

Summary Mutating internal ACP chat commands missed the operator.admin gate that should separate read-only and mutating control-plane actions. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:23 p.m.6 views

OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions

Summary Mattermost interactive callback dispatch could run action handlers before normal sender authorization checks completed. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 630f1479c44f78484dfa21bb407cbe6f171dac87 - Lates...

9.1CVSS5.8AI score0.0042EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:15 p.m.6 views

OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status

Summary Read-scoped gateway snapshots could expose credentials embedded in channel baseUrl and related endpoint fields. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 630f1479c44f78484dfa21bb407cbe6f171dac87 - Latest...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:14 p.m.5 views

OpenClaw may have stale policy enforcement for queued node actions

Summary Queued node actions were not revalidated against current command policy when later delivered, so stale allowlists or declarations could survive policy tightening. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

5.9CVSS5.8AI score0.00217EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:51 p.m.9 views

OpenClaw has Inconsistent Host Exec Environment Override Sanitization

Summary Gateway host exec env override handling did not consistently apply the shared host environment policy, so blocked or malformed override keys could slip through inconsistent sanitization paths. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released t...

8.8CVSS5.8AI score0.00489EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:50 p.m.6 views

OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths

Summary Trusted-proxy Control UI sessions without device identity could retain self-declared privileged scopes on the device-less allow path. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:50 p.m.7 views

OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Summary Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

6.9CVSS5.8AI score0.00494EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:50 p.m.6 views

OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution

Summary Bonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

6.3CVSS5.8AI score0.00117EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:50 p.m.6 views

OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure

Summary Remote media HTTP error bodies were read without a hard size cap before failure handling, allowing unbounded allocation on error responses. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

6.9CVSS5.8AI score0.0036EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:49 p.m.8 views

Contrast BadAML injection allows arbitrary code execution

BadAML BadAML is an AML injection attack that exploits the ACPI interface and allows arbitrary code execution in a confidential VM. The attack was first published in 2024: - - Impact An attacker with control over the host which is assumed in the attacker model of Contrast can execute malicious AM...

6.5AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:30 p.m.7 views

OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

Summary Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

8.8CVSS5.8AI score0.00368EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:14 p.m.8 views

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow o...

5.1CVSS6AI score0.00128EPSS
Exploits0References3Affected Software17
Github Security Blog
Github Security Blog
added 2026/03/26 7:8 p.m.7 views

OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper

Summary Allow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-...

8.8CVSS5.8AI score0.00374EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:8 p.m.5 views

OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement

Summary Nostr inbound DM handling could perform crypto and dispatch work before sender and pairing policy enforcement, enabling unauthorized pre-auth computation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

8.2CVSS5.8AI score0.00454EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:8 p.m.4 views

OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.

Summary Synology Chat reply delivery could rebind to a mutable username match instead of the stable numeric userid recorded by the webhook event. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

8.1CVSS5.8AI score0.00236EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:7 p.m.5 views

OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation

Summary Windows local-media handling accepted remote-host file URLs and UNC-style paths before local-path validation, so network-hosted file targets could be treated as local content. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked:...

7.6CVSS5.8AI score0.0026EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:7 p.m.6 views

Statamic allows unauthorized content access through missing authorization in its revision controllers

Impact Authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and...

5.4CVSS5.7AI score0.00142EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:6 p.m.6 views

Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields

Impact A control panel user with access to Antlers-enabled fields could access sensitive application configuration values by inserting config variables into their content. Patches This has been fixed in 5.73.16 and 6.7.2...

6.5CVSS5.7AI score0.00224EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:5 p.m.10 views

Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential

Impact The external URL detection used for redirect validation on unauthenticated endpoints could be bypassed, allowing users to be redirected to external URLs after actions like form submissions and authentication flows. Patches This has been fixed in 5.73.16 and 6.7.2...

6.1CVSS5.7AI score0.00177EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:5 p.m.5 views

Statamic's live preview token bypasses content protection for unrelated entries

Impact An authenticated Control Panel user with access to live preview could use a live preview token to access restricted content that the token was not intended for. Patches This has been fixed in 5.73.16 and 6.7.2...

4.3CVSS5.7AI score0.00162EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:5 p.m.4 views

Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

Impact The user:resetpasswordform tag could render user-input directly into HTML without escaping, allowing an attacker to craft a URL that executes arbitrary JavaScript in the victim's browser. Patches This has been fixed in 5.73.16 and 6.7.2...

6.1CVSS5.8AI score0.00149EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:3 p.m.6 views

Statamic's Markdown preview endpoint exposes sensitive user data

Impact The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor...

6.5CVSS5.8AI score0.00255EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:0 p.m.4 views

OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers

Summary Before v2026.3.23, the Gateway agent RPC accepted /reset and /new for callers with only operator.write, even though the direct sessions.reset RPC correctly requires operator.admin. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.23 - Latest released tag checked:...

8.1CVSS5.9AI score0.00272EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:59 p.m.7 views

OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication

Summary Before v2026.3.23, Canvas and A2UI loopback requests could bypass Canvas bearer-or-capability authentication because authorizeCanvasRequest... treated isLocalDirectRequest... as an unconditional allow path. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.23 -...

5.1CVSS5.9AI score0.00141EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:56 p.m.4 views

OpenClaw: Plivo V2 verified replay identity drifts on query-only variants

Summary Before v2026.3.23, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate baseUrl + nonce, but the replay key was derived from the full verification URL including the query string, so unsigned query-on...

8.3CVSS5.9AI score0.00283EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:55 p.m.5 views

Convict has Prototype Pollution via startsWith() function

Summary A prototype pollution vulnerability exists in the latest version of the convict npm package 6.2.4. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a...

6.4AI score0.0084EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:50 p.m.6 views

Convict has prototype pollution via load(), loadFile(), and schema initialization

Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. config.load / config.loadFile — overlay recursively merges config data without checking for forbidden keys. Input containing proto or constructor.prototype e.g. from a JSON file causes the recursion to reach...

5.8AI score0.00037EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:49 p.m.38 views

Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass

Summary A remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to...

8.7CVSS5.9AI score0.01125EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:48 p.m.25 views

Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

Summary Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Background This vulnerability is a new variant discovered during research into the "Funky Chunks" HTTP request smuggling techniques: - - The original researc...

7.5CVSS6AI score0.0064EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:45 p.m.8 views

Astro: Remote allowlist bypass via unanchored matchPathname wildcard

Summary This issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for / wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a...

6.3CVSS6AI score0.00325EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:41 p.m.7 views

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

Summary The @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirel...

9.1CVSS5.9AI score0.00331EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:37 p.m.5 views

OpenBao has Reflected XSS in its OIDC authentication error message

Impact OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callbackmode=direct configured are vulnerable to XSS via the errordescription parameter on the page for a failed authentication. This allows an attacker access to the token used in the Web UI by a...

9.6CVSS5.8AI score0.00287EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:32 p.m.5 views

OpenBao lacks user confirmation for OIDC direct callback mode

Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the...

9.6CVSS5.9AI score0.00411EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.7 views

Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost...

6.8CVSS6AI score0.00421EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.5 views

Mattermost doesn't set permissions on downloaded bulk export

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export. Mattermost Advisory ID: MMSA-2026-00593...

5.5CVSS5.8AI score0.00127EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.5 views

Mattermost doesn't validate decompressed archive entry sizes during file extraction

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly...

6.5CVSS5.9AI score0.00343EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.11 views

Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences...

8.8CVSS5.9AI score0.00268EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.6 views

Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint...

4.3CVSS5.9AI score0.00231EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.7 views

OpenClaw is vulnerable to Path Traversal through path validation bypass

OpenClaw through 2026.3.23 fixed in commit 4797bbc contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath and isValidMedia functions. Attackers can exploit incomplete validation and the...

8.7CVSS6AI score0.00688EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.4 views

Langflow has Authenticated Code Execution in Agentic Assistant Validation

Description 1. Summary The Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class...

9.9CVSS6.7AI score0.01426EPSS
Exploits1References19Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:30 p.m.6 views

n8n Vulnerable to LDAP Filter Injection in LDAP Node

Impact A flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker cou...

6.3CVSS5.8AI score0.00245EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:29 p.m.11 views

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

Impact A brace pattern with a zero step value e.g., 1..2..0 causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. The loop in question:...

7.5CVSS5.8AI score0.0043EPSS
Exploits0References12Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:28 p.m.5 views

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

Impact An authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such responses inline on the n8n origin without Content-Disposition or Content-Security-Policy...

9CVSS5.9AI score0.00249EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:27 p.m.4 views

BuildKit Git URL subdir component can cause access to restricted files

Impact Insufficient validation of Git URL fragment subdir components :, docs may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. Patches The issue has been fixed in version v0.28.1 Workarounds The issue affects...

8.2CVSS5.7AI score0.00463EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities33187