Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/03/12 2:21 p.m.12 views

OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf

Summary openclaw had a workspace boundary bypass in workspace-only path validation: when an in-workspace symlink pointed outside the workspace to a non-existent leaf, the first write could pass validation and create the file outside the workspace. Affected Packages / Versions - Package: openclaw...

8.2CVSS5.8AI score0.00322EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:21 p.m.8 views

OpenClaw: LINE group allowlist scope mismatch with DM pairing-store entries

Summary In specific LINE configurations, sender IDs approved through DM pairing could also satisfy group allowlist checks when operators expected group sender access to be scoped only to explicit group allowlists. Affected Packages / Versions - Package: openclaw npm - Latest published version at...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:21 p.m.12 views

OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty

OpenClaw's Microsoft Teams plugin widened group sender authorization when a team/channel route allowlist was configured but groupAllowFrom was empty. Before the fix, a matching route allowlist entry could cause the message handler to synthesize wildcard sender authorization for that route, allowi...

4.3CVSS5.8AI score0.00267EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:21 p.m.6 views

OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path

OpenClaw's skills download installer validated the intended per-skill tools root lexically, but later reused that mutable path while downloading and copying the archive into place. If a local attacker could rebind that tools-root path between validation and the final write, the installer could be...

6.2CVSS5.8AI score0.00087EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:21 p.m.7 views

OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

OpenClaw's system.run approval flow did not bind mutable interpreter-style script operands across approval and execution. A caller could obtain approval for an execution such as sh ./script.sh, rewrite the approved script before execution, and then execute different content under the previously...

6.3CVSS5.9AI score0.002EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:20 p.m.12 views

OliveTin's email argument makes compliance harder, enables log injection

Summary The typeSafetyCheckEmail function in service/internal/executor/arguments.go calls log.Errorf on every invocation including when validation succeeds err == nil. This means every email address submitted by any user is written to the application's ERROR-level log unconditionally. Because the...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:20 p.m.10 views

OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream

Summary OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control...

7.1CVSS6AI score0.00431EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:20 p.m.8 views

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Impact An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field including via dot-notation or $regex, the attacker can observe whether LiveQuery events are delivere...

7.5CVSS5.8AI score0.00288EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:19 p.m.26 views

Tornado is vulnerable to DoS due to too many multipart parts

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart...

8.7CVSS5.7AI score0.00375EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:19 p.m.6 views

Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity

The link.href check in makeTagSafe safe.ts, line 68-71 uses String.includes, which is case-sensitive: typescript if key === 'href' if val.includes'javascript:' || val.includes'data:' return nextkey = val Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as...

6.1CVSS5.9AI score0.00237EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:19 p.m.18 views

Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check

Summary useHeadSafe can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. Details XSS via data- attribute name injection The acceptDataAttrs function safe.t...

6.1CVSS5.9AI score0.00258EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:16 p.m.6 views

ImageMagick has heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation

A 32-bit unsigned integer overflow in the XWD X Windows encoder can cause an undersized heap buffer allocation. When writing a extremely large image an out of bounds heap write can occur. ================================================================= ==741961==ERROR: AddressSanitizer:...

6.8CVSS6AI score0.00099EPSS
Exploits0References3Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:16 p.m.4 views

ImageMagick has Heap Buffer Overflow in WaveletDenoiseImage

A crafted image could cause an out of bounds heap write inside the WaveletDenoiseImage method. When processing a crafted image with the -wavelet-denoise operation an out of bounds write can occur. ================================================================= ==661320==ERROR: AddressSanitizer:...

5.5CVSS5.8AI score0.00106EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:15 p.m.5 views

ImageMagick has Heap Buffer Over-Read in BilateralBlurImage

BilateralBlurImage contains a heap buffer over-read caused by an incorrect conversion. When processing a crafted image with the -bilateral-blur operation an out of bounds read can occur. ================================================================= ==676172==ERROR: AddressSanitizer:...

4.4CVSS6AI score0.00105EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:15 p.m.6 views

ImageMagick has heap-based buffer overflow in UHDR encoder

A heap-based buffer overflow in the UHDR encoder can happen due to truncation of a value and it would allow an out of bounds write. ================================================================ ==2158399==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x521000039500 at pc...

7.8CVSS6.1AI score0.00108EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:15 p.m.7 views

ImageMagick has stack buffer overflow in MagnifyImage

MagnifyImage uses a fixed-size stack buffer. When using a specific image it is possible to overflow this buffer and corrupt the stack...

7.8CVSS6AI score0.00107EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:13 p.m.13 views

devalue has prototype pollution in devalue.parse and devalue.unflatten

In devalue v5.6.3, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service DoS or type confusion...

7.5CVSS5.8AI score0.00373EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:12 p.m.7 views

ImageMagick: Integer overflow in DIB coder can result in out of bounds read or write

An integer overflow in DIB coder can result in out of bounds read or write...

8.1CVSS5.8AI score0.00334EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:12 p.m.8 views

ImageMagick has uninitialized pointer dereference in JBIG decoder

An uninitialized pointer dereference vulnerability exists in the JBIG decoder due to a missing check...

7.5CVSS5.8AI score0.00353EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:11 p.m.6 views

ImageMagick has stack write buffer overflow in MNG encoder

A stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. ==2265506==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffec4971310 at pc 0x55e671b8a072 bp 0x7ffec4970f70 sp...

6.9CVSS6.1AI score0.00096EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:11 p.m.6 views

ImageMagick has heap use-after-free in the MSL encoder

A heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. SUMMARY: AddressSanitizer: heap-use-after-free MagickCore/image.c:1195 in DestroyImage Shadow bytes around t...

5.3CVSS5.7AI score0.00193EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:9 p.m.6 views

ImageMagick has Heap Use-After-Free in ImageMagick MSL decoder

A heap use-after-free vulnerability in ImageMagick's MSL decoder allows an attacker to trigger access to freed memory by crafting an MSL file. ================================================================= ==1500633==ERROR: AddressSanitizer: heap-use-after-free on address 0x527000011550 at pc...

5.3CVSS5.8AI score0.00243EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:9 p.m.16 views

ImageMagick: Write heap-buffer-overflow in PCL encoder via undersized output buffer

A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation. WRITE of size 1 at 0x7e79f91f31a0 thread T0...

6.8CVSS6AI score0.00113EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:8 p.m.6 views

ImageMagick vulnerable to stack corruption through long morphology kernel names or arrays

A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption...

7.1CVSS6.1AI score0.00108EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:8 p.m.6 views

ImageMagick has Integer Overflow leading to out of bounds write in SIXEL decoder

An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage...

6.5CVSS5.8AI score0.00194EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:7 p.m.12 views

Winter vulnerable to privilege escalation by authenticated backend users

Impact Affected versions of Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their account through specially crafted requests to the backend while logged in. To actively exploit this security...

9.9CVSS5.7AI score0.00486EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 2:4 p.m.6 views

ImageMagick: Heap overflow in pcd decoder leads to out of bounds read.

The pcd coder lacks proper boundary checking when processing Huffman-coded data. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. ==3900053==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000003c6c at pc 0x55601b9cc552 bp...

9.1CVSS5.8AI score0.00404EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:2 p.m.8 views

ImageMagick has heap buffer overflow in YUV 4:2:2 decoder

A heap buffer overflow write vulnerability exists in ReadYUVImage coders/yuv.c when processing malicious YUV 4:2:2 NoInterlace images. The pixel-pair loop writes one pixel beyond the allocated row buffer. ================================================================= ==204642==ERROR:...

9.8CVSS6.1AI score0.00461EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:2 p.m.9 views

ImageMagick has Heap Out-of-Bounds Read in DCM Decoder (ReadDCMImage)

A heap out-of-bounds read vulnerability exists in the coders/dcm.c module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of...

6.5CVSS5.8AI score0.0034EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:2 p.m.10 views

ImageMagick: MSL - Stack overflow in ProcessMSLScript

Summary Magick fails to check for circular references between two MSLs, leading to a stack overflow. Details After reading a.msl using magick, the following is displayed: MSLStartElement - ReadImage - ReadMSLImage - ProcessMSLScript - xmlParseChunk - xmlParseTryOrFinish - MSLStartElement bash...

9.8CVSS5.8AI score0.00208EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:1 p.m.8 views

ImageMagick Has Signed Integer Overflow in SIXEL Decoder, Leading to Memory Corruption

A signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed...

7.5CVSS6AI score0.00275EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 2:1 p.m.5 views

ImageMagick: MSL attribute stack buffer overflow leads to out of bounds write.

A stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption. ================================================================= ==278522==ERROR: AddressSanitizer: stack-buffer-overflow on address...

9.8CVSS6.1AI score0.00272EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/12 12:30 p.m.7 views

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads without authentication...

9.8CVSS6.3AI score0.01534EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 12:30 p.m.9 views

SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization

SGLangs replayrequestdump.py contains an insecure pickle.load without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script...

7.8CVSS5.9AI score0.00334EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 12:30 p.m.9 views

Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-82g8-464f-2mv7. This link is maintained to preserve external references. Original Description A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function...

8.8CVSS5.6AI score0.00316EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 12:30 p.m.6 views

Duplicate Advisory: OpenClaw safeBins file-existence oracle information disclosure

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6c9j-x93c-rw6j. This link is maintained to preserve external references. Original Description A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of th...

5.5CVSS5.2AI score0.00133EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 12:30 p.m.6 views

SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module

SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads without authentication...

9.8CVSS6.3AI score0.01158EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 12:30 p.m.7 views

Keycloak vulnerable to authorization bypass via the Admin API

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim'...

3.1CVSS5.8AI score0.00275EPSS
Exploits0References7Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/12 12:31 a.m.8 views

Consul is vulnerable to arbitrary file read when configured with Kubernetes authentication

HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5...

6.8CVSS5.8AI score0.00475EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 12:31 a.m.12 views

yauzl contains an off-by-one error

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

6.9CVSS6AI score0.00485EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/12 12:31 a.m.9 views

@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The...

6.5CVSS5.3AI score0.00441EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 10:18 p.m.12 views

xygeni-action v5 tag poisoned with C2 backdoor

Description On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests 46, 47, 48 injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the...

9.8CVSS6AI score0.00496EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 10:17 p.m.10 views

Tornado has incomplete validation of cookie attributes

Values passed to the domain, path, and samesite arguments of RequestHandler.setcookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 9:11 p.m.23 views

.NET Denial of Service Vulnerability

Microsoft Security Advisory CVE-2026-26127 – .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0 and .NET 10.0. This advisory also provides guidance on what developers can do to update their...

7.5CVSS6AI score0.02049EPSS
Exploits0References4Affected Software13
Github Security Blog
Github Security Blog
added 2026/03/11 9:11 p.m.12 views

.NET Denial of Service Vulnerability

Microsoft Security Advisory CVE-2026-26130 – .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to...

7.5CVSS6AI score0.02818EPSS
Exploits0References5Affected Software12
Github Security Blog
Github Security Blog
added 2026/03/11 7:53 p.m.5 views

Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash

Summary Shescapeescape does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret12 to expand into multiple filesystem matches instead of a single...

6.9CVSS5.8AI score0.00214EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 7:53 p.m.15 views

.NET Elevation of Privilege Vulnerability

Microsoft Security Advisory CVE-2026-26131 – .NET Elevation of Privilege Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 10.0. This advisory also provides guidance on what developers can do to update their...

7.8CVSS5.8AI score0.00359EPSS
Exploits0References4Affected Software6
Github Security Blog
Github Security Blog
added 2026/03/11 7:29 p.m.13 views

Argo Workflows: WorkflowTemplate Security Bypass via podSpecPatch in Strict/Secure Reference Mode

Summary A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This works even when the controller is configured with templateReferencing: Strict, which is specifically documented as...

9.9CVSS5.8AI score0.00413EPSS
Exploits1References3Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/11 7:24 p.m.14 views

Shopware vulnerable to a potential take over of app credentials

Summary We identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an...

8.9CVSS5.8AI score0.00267EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/11 7:23 p.m.11 views

Shopware has user enumeration via distinct error codes on Store API login endpoint

Summary The Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown CHECKOUTCUSTOMERNOTFOUND. The "not found" response also echoes the...

5.3CVSS5.8AI score0.00218EPSS
Exploits0References3Affected Software2
Total number of security vulnerabilities33225