33227 matches found
NocoDB Vulnerable to SQL Injection via DATEADD Formula
Summary An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. Details The third argument unit of DATEADD was interpolated directly into knex.raw queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST...
NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells
Summary User-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. Details Comments in Comments.vue and rich text in TextArea.vue were parsed by markdown-it with html: true and injected via v-html. The codebase had vue-dompurify-html...
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
Overview of all XSS Reports Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into 4 reports as follows: | Report | What's Vulnerable | Why Separate | |--------|-------------------|--------------| | This Report 1 | Multiple settings names | Twig Template:...
Craft CMS has IDOR via GraphQL @parseRefs
The GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs...
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 patched in 5.8.7. Required Permissions - Administrator permissions or access...
AWS-LC has PKCS7_verify Signature Validation Bypass
Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact Improper signature validation in PKCS7verify in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need...
AWS-LC has Timing Side-Channel in AES-CCM Tag Verification
Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP...
AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact Improper certificate validation in PKCS7verify in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers ...
aws-kms-tls-auth vulnerable to memory overallocation
Summary aws-kms-tls-auth is an optional utility for s2n-tls that enables customers to use AWS KMS keys as part of the PSK extension field in a TLS 1.3 handshake. An issue exists in this library that can lead to overallocation of memory potentially resulting in a denial of service. Impact The PSK...
PickleScan has multiple stdlib modules with direct RCE not in blocklist
Summary picklescan v1.0.3 latest does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues CLEAN scan. This enables remote code execution that bypasse...
PickleScan's pkgutil.resolve_name has a universal blocklist bypass
Summary pkgutil.resolvename is a Python stdlib function that resolves any "module:attribute" string to the corresponding Python object at runtime. By using pkgutil.resolvename as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function e.g., os.system,...
PickleScan's profile.run blocklist mismatch allows exec() bypass
Summary picklescan v1.0.3 blocks profile.Profile.run and profile.Profile.runctx but does NOT block the module-level profile.run function. A malicious pickle calling profile.runstatement achieves arbitrary code execution via exec while picklescan reports 0 issues. This is because the blocklist ent...
WWBN AVideo is vulnerable to unauthenticated OS Command Injection via base64Url in objects/getImage.php
Impact An unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration secrets, internal keys, credentials, and service disruption...
Ghost Vulnerable to Remote Code Execution via Malicious Themes
Impact Specifically crafted malicious themes can execute arbitrary code on the server running Ghost. Vulnerable Versions This vulnerability is present in Ghost v0.7.2 to v6.19.0. Patches v6.19.1 contains a fix for this issue. Workarounds Ghost generally recommends users refrain from installing...
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
Summary When iMessage remote attachment fetching is enabled channels.imessage.remoteHost, stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging. If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the...
OpenClaw vulnerable to arbitrary file read via $include directive
Vulnerability Path traversal in config $include resolution allowed arbitrary local file reads outside the config directory boundary CWE-22. Attack Vectors 1. If an attacker can modify OpenClaw config, they can set $include to absolute paths for example /etc/passwd and read files accessible to the...
OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
Summary In OpenClaw system.run allowlist mode, shell-wrapper analysis could be bypassed by splitting command substitution as $\ + newline + inside double quotes. Analysis treated the payload as allowlisted for example /bin/echo, while shell runtime folded the line continuation into $... and...
OpenClaw's config env vars allowed startup env injection into service runtime
Summary OpenClaw allowed dangerous process-control environment variables from env.vars for example NODEOPTIONS, LD, DYLD to flow into gateway service runtime environments, enabling startup-time code execution in the OpenClaw process context. Details collectConfigEnvVars accepted unfiltered keys...
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
The shell environment fallback path could invoke an attacker-controlled shell when SHELL was inherited from an untrusted host environment. In affected builds, shell-env loading used $SHELL -l -c 'env -0' without validating that SHELL points to a trusted executable. In threat-model terms, this...
OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode
Summary In openclaw allowlist mode, tools.exec.safeBins trusted PATH-derived directories for safe-bin resolution. A same-name binary placed in a trusted PATH directory could satisfy safe-bin checks and execute. Impact This is an allowlist bypass in exec policy that can lead to command execution i...
OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress
Summary OpenClaw Slack monitor handled reaction and pin non-message events before applying sender-policy checks consistently. In affected versions, these events could be added to system-event context even when sender policy would not normally allow them. Affected Packages / Versions - Package: np...
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
Summary In openclaw up to and including 2026.2.23 latest npm release as of February 25, 2026, system.run shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime. Affected Packages / Versions - Package: opencl...
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
Summary In [email protected], approval-bound system.run on node hosts could be influenced by mutable symlink cwd targets between approval and execution. Details Approval matching on the gateway validated command/argv and binding fields, including cwd, as provided text. Node execution later used...
OpenClaw's andbox browser noVNC observer lacked VNC authentication
The sandbox browser entrypoint launched x11vnc without authentication -nopw for noVNC observer sessions. OpenClaw-managed runtime flow publishes the noVNC port to host loopback only 127.0.0.1, so default exposure is local to the host unless operators explicitly expose the port more broadly or run...
OpenClaw DM pairing-store identities could satisfy group allowlist authorization
Summary DM pairing-store identities were incorrectly eligible for group allowlist authorization checks, enabling cross-context authorization in group message paths. Details In affected versions, group allowlist evaluation could inherit identities from the DM pairing store. A sender approved via D...
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
Summary A wrapper-depth parsing mismatch in system.run allowed nested transparent dispatch wrappers for example repeated /usr/bin/env to suppress shell-wrapper detection while still matching allowlist resolution. In security=allowlist + ask=on-miss, this could bypass the expected approval prompt...
OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse
Impact Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions. Affected Packages / Versions - Package: openclaw npm - Vulnerable...
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
Summary OpenClaw tools.exec.safeBins had a stdin-only policy bypass for grep. If pattern input was supplied through -e / --regexp, the validator consumed the pattern as a flag value and still allowed one positional operand. That positional could be a bare filename like .env. Affected Packages /...
OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check
Impact In Telegram DM mode, inbound media was downloaded and written to disk before sender authorization checks completed. An unauthorized sender could trigger inbound media download/write activity including media groups even when DM access should be denied. Affected Packages / Versions - Package...
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths for example /agent/secret.png and load...
OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
When sort is explicitly added to tools.exec.safeBins non-default, the --compress-program option can invoke an external helper and bypass the intended safe-bin approval constraints in allowlist mode. Affected Packages / Versions - Package: openclaw npm - Vulnerable versions: =2026.2.22. Once that...
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
Summary Gateway plugin route auth protection for /api/channels could be bypassed using encoded dot-segment traversal for example ..%2f in path variants that plugin handlers normalize. Affected Packages / Versions - Package: npm openclaw - Latest published vulnerable version: 2026.2.25 - Vulnerabl...
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
Summary When tokenless Tailscale auth is enabled, OpenClaw should only allow forwarded-header auth for Control UI websocket authentication on trusted hosts. In affected versions, that tokenless path could also be used by HTTP gateway auth call sites, which could bypass token/password requirements...
OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
Summary OpenClaw’s Feishu media download flow used untrusted Feishu media keys imageKey / fileKey when building temporary file paths in extensions/feishu/src/media.ts. Because those keys were interpolated directly into temp-file paths, traversal segments could escape the temp directory and redire...
DOMPurify contains a Cross-site Scripting vulnerability
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in 2.5.9 and 3.3.2, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements noscript, xmp, noembed, noframes, iframe in the SAFEFORXML regex...
DOMPurify contains a Cross-site Scripting vulnerability
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFEFORXML regex. Attackers can include closing rawtext tags like in attribute...
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
Summary The HTML session exporter src/auto-reply/reply/export-html/template.js interpolates img.mimeType directly into attributes without validation or escaping. A crafted mimeType value e.g., x" onerror="alert1 can break out of the attribute context and execute arbitrary JavaScript. Impact An...
Temporary path handling could write outside OpenClaw temp boundary
Summary Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root. Affected Packages / Versions - Package: openclaw npm - Latest published version verified during triage: 2026.2.23 - Affected versions: = 2026.2.24 Detail...
OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
Summary Sandbox browser container launched Chromium with --no-sandbox by default, disabling Chromium's OS-level sandbox protections. Affected Packages / Versions - Package: openclaw npm ecosystem - Latest published npm version at triage time 2026-02-21: 2026.2.19-2 - Affected range: = 2026.2.19-2...
OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
Summary In OpenClaw MSTeams media download flows, redirect handling could bypass configured mediaAllowHosts checks in specific attachment paths. Redirect chains were not consistently constrained to allowlisted targets before accepting fetched content. Affected Packages / Versions - Package:...
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
Summary OpenClaw hook mapping transforms could be loaded via absolute paths or .. traversal, allowing arbitrary JavaScript module loading/execution in the gateway process when an attacker can modify hooks configuration. Affected Versions - Affected: = 2.0.0-beta3 and = 2026.2.13 - Fixed: 2026.2.1...
OpenClaw has command injection via Windows shell fallback in Lobster tool execution
Summary The Lobster extension tool execution path used a Windows shell fallback shell: true after spawn failures EINVAL/ENOENT. In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection. Affected Packages / Versions - Package:...
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw npm - Introduced: 2026.2.17 - Affected: = 2026.2.17 and = 2026.2.24 - Latest published at patch time:...
OpenClaw has allowlist exec-guard bypass via env -S
Summary In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads. Severity Rationale Medium This issue is rated medium because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not ...
Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface
Impact A stored Cross-site Scripting XSS vulnerability exists on confirmation messages within the wagtail.contrib.simpletranslation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, cause...
Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes
Impact A stored Cross-site Scripting XSS vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code...
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
Arbitrary File Write via Symlink Path Traversal in Tar Extraction Summary The safeextracttarfile function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a...
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
Impact In simple words, some programs that use .flatten or .isEqual could be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation...
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
Summary A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling modules/utenti/actions.php. This can promote an existing account e.g. agent into the Amministratori group as well as demot...
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Summary A typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings — including shell metacharacters — in the panel.adminmail setting. This value i...