Lucene search
K
GithubRecent

33187 matches found

Github Security Blog
Github Security Blog
added 2026/06/18 9:13 p.m.9 views

Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints

Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery SSRF vulnerability in three administrative endpoints used for remote Signal K server connection management. The makeRemoteRequest function accepts attacker-controlled host, port, useTLS, and...

5.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 9:9 p.m.9 views

PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle

Impact RSACrypt::decryptWithRSA15 used by the RSA15 key-encryption algorithm implements RSAES-PKCS1-v15 decryption by inspecting the padding after RSADP and throwing InvalidArgumentException as soon as the padding is malformed. It does not implement the implicit-rejection countermeasure required ...

5.4AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/18 9:9 p.m.17 views

PHP JWT Framework: JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks

Summary JWSVerifier::getAlgorithm in src/Library/Signature/JWSVerifier.php line 144 merges protected and unprotected headers using PHP's spread operator: php $completeHeader = ...$signature-getProtectedHeader, ...$signature-getHeader; In PHP, when spreading arrays with duplicate string keys, the...

5.4AI score
Exploits0References3Affected Software4
Github Security Blog
Github Security Blog
added 2026/06/18 9:9 p.m.8 views

PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service

Impact When a JWE uses a password-based key-encryption algorithm PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, PBES2AESKW::unwrapKey reads the p2c PBKDF2 iteration count parameter directly from the attacker-controlled JOSE header and passes it to hashpbkdf2 with no upper bound. The...

5.6AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/18 9:8 p.m.12 views

PHP JWT Framework: Chacha20Poly1305 key-encryption algorithm discards the Poly1305 authentication tag, performing no authentication on decryption

Impact The experimental Chacha20Poly1305 key-encryption algorithm generates the 16-byte Poly1305 authentication tag during encryptKey but discards it: the tag is never written to the header and therefore never reaches the wire. On the receiving side, decryptKey calls...

5.5AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/18 9:7 p.m.11 views

spomky-labs/otphp: Mass-assignment in Factory::loadFromProvisioningUri lets a hostile provisioning URI corrupt OTP state or leak an uncaught TypeError

Summary OTPHP\Factory::loadFromProvisioningUri parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter$key, $value. setParameter resolves the name with propertyexists$this, $parameter and performs a dynamic write $this-$parameter = $value src/OTP.php:196-197...

5.3AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:45 p.m.10 views

spomky-labs/otphp: Unbounded digits parameter in a provisioning URI triggers an uncaught DivisionByZeroError in OTP generation

Summary The digits parameter parsed from a provisioning URI is validated only with a lower bound $value 0 and has no upper bound src/OTP.php:353-357. OTP generation computes $code % 10 $this-getDigits src/OTP.php:283. When digits is large enough that 10 digits overflows PHP's integer range and th...

5.4AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:44 p.m.8 views

gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)

Untrusted prompt input could reach the Gemini CLI @file parser, allowing read/exfiltration of arbitrary local files @/etc/passwd, @/.ssh/idrsa, @../../secret. On Windows, unquoted cmd.exe metacharacters could break out into OS command injection. Fix 1.1.6: removed the broken shell:false...

9.8CVSS8.8AI score0.03336EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:44 p.m.10 views

OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state

Summary Internal/webchat command auth could inherit ownerAllowFrom wildcard state. In affected versions, a sender on an affected internal or webchat path could inherit wildcard ownerAllowFrom state across channel boundaries. This advisory is scoped to the named feature and configuration. It does...

6.5CVSS5.6AI score0.00245EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:42 p.m.8 views

OpenClaw: Empty-scope device re-pairing could confuse caller scope containment

Summary Empty-scope device re-pairing could confuse caller scope containment. In affected versions, a device re-pairing request with an empty scope set could skip the intended containment guard during re-pairing. This advisory is scoped to the named feature and configuration. It does not change...

5.4CVSS5.5AI score0.00206EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:41 p.m.9 views

OpenClaw: Workspace-derived service PATH could influence trash command selection

Summary Workspace-derived service PATH could influence trash command selection. In affected versions, a workspace-derived environment path could select an unintended trash executable during maintenance. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

7.2CVSS5.6AI score0.00119EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:39 p.m.10 views

OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots

Summary Workspace .env STATEDIRECTORY could influence bundled runtime dependency roots. In affected versions, a workspace .env in a repository opened by a trusted operator could set STATEDIRECTORY before runtime dependency root resolution. This advisory is scoped to the named feature and...

7.1CVSS5.6AI score0.00124EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:36 p.m.15 views

OpenClaw: Discord allowFrom could bind to mutable display names

Summary Discord allowFrom could bind to mutable display names. In affected versions, a Discord account able to change display or global name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change...

8.6CVSS5.6AI score0.00267EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:34 p.m.16 views

OpenClaw: Focus command could miss controlScope enforcement

Summary Focus command could miss controlScope enforcement. In affected versions, a caller able to trigger the focus command could run the command without enforcing the expected control scope. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

6.8CVSS5.6AI score0.00093EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:33 p.m.17 views

OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install

Summary Workspace .env npmexecpath could influence bundled runtime dependency install. In affected versions, a workspace .env in a repository opened by a trusted operator could override the package-manager executable path used by the install helper. This advisory is scoped to the named feature an...

7.1CVSS5.6AI score0.00118EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:33 p.m.12 views

OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns

Summary OpenClaw's exec allowlist supported optional argPattern entries to restrict the arguments accepted for an allowlisted executable. In affected releases, Linux and macOS gateways skipped argPattern checks and treated a matching executable path as sufficient to satisfy the allowlist. This...

8.3CVSS5.8AI score0.00347EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:32 p.m.13 views

OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers

Summary BlueBubbles sender policy could match mutable conversation identifiers. In affected versions, a participant able to influence conversation-level identifiers could match an allowlist entry through conversation metadata rather than a stable sender identity. This advisory is scoped to the...

5.4CVSS5.6AI score0.00171EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:31 p.m.12 views

OpenClaw: memory-wiki shared search could miss session visibility checks

Summary memory-wiki shared search could miss session visibility checks. In affected versions, a caller able to search shared memory could skip the session visibility guard on the affected search path. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

6.5CVSS5.6AI score0.0021EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:29 p.m.13 views

OpenClaw: Config recovery could restore openclaw.json with broad file permissions

Summary Config recovery could restore openclaw.json with broad file permissions. In affected versions, a local recovery path after configuration repair could leave the restored config file more readable than intended. This advisory is scoped to the named feature and configuration. It does not...

5.7CVSS5.5AI score0.00094EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:17 p.m.9 views

OpenClaw: Zalo allowFrom could bind to mutable display names

Summary Zalo allowFrom could bind to mutable display names. In affected versions, a Zalo friend or contact with mutable display metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

8.6CVSS5.5AI score0.00225EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:16 p.m.10 views

OpenClaw: Skill-command dispatch could skip before-tool-call hooks

Summary Skill-command dispatch could skip before-tool-call hooks. In affected versions, a skill command routed through the affected dispatch path could run without the same runBeforeToolCallHook coverage as other tool entry points. This advisory is scoped to the named feature and configuration. I...

4.3CVSS5.6AI score0.00185EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:15 p.m.9 views

OpenClaw: Active Memory write scope could mutate global config

Summary Active Memory write scope could mutate global config. In affected versions, a Gateway caller with operator.write access to the affected command could change global configuration without requiring operator.admin. This advisory is scoped to the named feature and configuration. It does not...

5.4CVSS5.6AI score0.00176EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:14 p.m.11 views

OpenClaw: Exported session HTML could keep unsafe markdown links

Summary Exported session HTML could keep unsafe markdown links. In affected versions, content rendered into an exported session could preserve unsafe javascript: or data: links in generated HTML. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

6.1CVSS5.5AI score0.00188EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:13 p.m.8 views

OpenClaw: Slack reaction events could ignore reaction notification settings

Summary Slack reaction events could ignore reaction notification settings. In affected versions, a Slack reaction event delivered to the configured app could enter the agent pipeline even when reaction notifications were disabled. This advisory is scoped to the named feature and configuration. It...

6.3CVSS5.5AI score0.00191EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:12 p.m.9 views

OpenClaw: Bootstrap token replay could widen pending pairing scopes

Summary Bootstrap token replay could widen pending pairing scopes. In affected versions, a caller with access to a pending bootstrap token could reuse the token before approval with a broader requested scope set. This advisory is scoped to the named feature and configuration. It does not change...

5.4CVSS5.5AI score0.00088EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:12 p.m.9 views

OpenClaw: Shell positional parameters could weaken strict inline-eval checks

Summary Shell positional parameters could weaken strict inline-eval checks. In affected versions, a command request that combines allowlisted tools with shell positional arguments could place inline-eval content in a shell carrier not covered by the strict check. This advisory is scoped to the...

8.1CVSS5.5AI score0.0026EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:11 p.m.10 views

OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently

Summary Hostname checks could treat trailing-dot hosts inconsistently. In affected versions, a request path that accepts model- or workspace-derived URLs could present the same hostname with a trailing dot and avoid a blocklist comparison. This advisory is scoped to the named feature and...

6.5CVSS5.5AI score0.0021EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 8:10 p.m.9 views

OpenClaw: Exec allowlist could miss side effects from transparent command wrappers

Summary Exec allowlist could miss side effects from transparent command wrappers. In affected versions, a command request that reaches the exec allowlist path could be evaluated against the inner command while the wrapper invocation still executed. This advisory is scoped to the named feature and...

4.3CVSS5.6AI score0.00185EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 6:35 p.m.9 views

[Eclipse Theia] Indirect Prompt Injection via Auto-Loaded Workspace Prompt Template Files in AI Chat

In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files that, when the...

8.8CVSS6AI score0.00272EPSS
Exploits0References6Affected Software6
Github Security Blog
Github Security Blog
added 2026/06/18 6:35 p.m.12 views

[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files e.g. .theia/tasks.json, .vscode/tasks.json could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitra...

8.8CVSS6.1AI score0.00231EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2026/06/18 6:35 p.m.12 views

[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat

In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed...

8.8CVSS6.1AI score0.00272EPSS
Exploits0References6Affected Software7
Github Security Blog
Github Security Blog
added 2026/06/18 6:35 p.m.14 views

[Eclipse Theia] Data Exfiltration via Markdown Image Rendering in AI Chat

In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs...

6.7CVSS6AI score0.00181EPSS
Exploits0References6Affected Software7
Github Security Blog
Github Security Blog
added 2026/06/18 5:25 p.m.31 views

Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream)

Summary The Docker API server applied its SSRF destination check validateurldestination on the non-streaming /crawl path but not on the streaming path. handlestreamcrawlrequest passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could call POS...

5.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:25 p.m.14 views

Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args

Summary The Docker API server accepted a request-supplied browserconfig.extraargs, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command --utility-cmd-prefix, --renderer-cmd-prefix, --gpu-launcher,...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:25 p.m.8 views

Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE

Summary When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path e.g. /etc/cron.d/evil or ../ traversal escaped the downloads directory, giving an...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:24 p.m.21 views

budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL

Summary This advisory covers three distinct SQL Injection vulnerabilities within Budibase's database connectors PostgreSQL, Microsoft SQL Server, and MySQL. Because user-controlled schema and table configurations are interpolated directly into raw SQL queries without proper escaping or...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:22 p.m.15 views

@acastellon/auth: Authentication bypass via spoofable headers in validateToken()

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

8.7CVSS5.5AI score0.00543EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:22 p.m.16 views

Armeria: External Control of File Name or Path in xDS SDS DataSource

External Control of File Name or Path in xDS SDS DataSource Summary DataSourceStream in the :xds module resolves control-plane-supplied filename and environmentvariable fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control...

5.9CVSS5.5AI score0.00198EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:22 p.m.12 views

netlicensing-mcp: REST Path Traversal Bypasses Token Redaction

REST Path Traversal Bypasses Token Redaction in netlicensing-mcp Summary The netlicensinggetproduct MCP tool in netlicensing-mcp interpolates a caller-controlled productnumber argument directly into a REST URL path without any validation. Passing ../token as the product number causes httpx to...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:21 p.m.18 views

AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)

Summary Two inbound-mail handlers act on a privileged effect without verifying that the sender is the operator, while a sibling handler in the same repo does. The higher-impact one: any external email routed to the bridge inbox causes the dispatcher to resume the operator's Claude Code session wi...

5.7AI score
Exploits0References2Affected Software4
Github Security Blog
Github Security Blog
added 2026/06/18 5:20 p.m.9 views

AgenticMail: Cross-agent task authorization bypass in AgenticMail API

Summary A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to GET /api/agenticmail/tasks/pending?assignee=. The returned task objects include the task IDs and payloads. The same task IDs can then be used with the...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:20 p.m.14 views

NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)

Summary A previous advisory CVE-2026-49463 / GHSA-qpm9-h556-mwxm reported that any logged-in user could download any document by its identifier, and stated this was fixed in 3.0.1. For the document-content part that fix was incomplete: documents remained downloadable by any authenticated user in...

5.5AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 5:19 p.m.10 views

Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape

Summary A sandbox volume reference volumeId, which may also be a volume name was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing path-traversal sequences could in principle resolve the mount source outside the intended per-volu...

4.2CVSS5.4AI score0.00171EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:32 p.m.8 views

MCP Toolbox for Databases: authenticated authorization bypass

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol...

8.6CVSS5.9AI score0.0015EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:32 p.m.8 views

googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...

9.3CVSS6AI score0.00195EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:32 p.m.7 views

googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

9.3CVSS5.9AI score0.00204EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.13 views

OpenFGA Improper Policy Enforcement

Description In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response. Preconditions This applies if the following preconditions are met: 1. You run OpenFGA with MySQL as the datastore 2. Your authorization decisions rely on case-sensitive use...

2.1CVSS5.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.10 views

tract-nnef: integer overflow in NNEF `.dat` tensor parser yields an out-of-bounds read on model load

Component: tract-nnef nnef/src/tensors.rs::readtensor + tract-data data/src/tensor.rs - Affected versions: 0.21.16, 0.22.0–0.22.2, 0.23.0–0.23.1 — the dense DatLoader path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1 - Class: CWE-190 integer overflow →...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.8 views

PGHoard: Password written to debug log

Impact When using .pgpass, database connection information including the username and password will be logged at the debug level. Patches Upgrade to version 2.7.1 or greater. Workarounds Filter out debug-level logs. References This issue was discovered by BugCrowd user DRAKOKORIAN...

5.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/18 3:5 p.m.10 views

Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID

Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...

7.5CVSS5.7AI score
Exploits0References3Affected Software1
Total number of security vulnerabilities33187