33225 matches found
Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gxg4-2rrr-jhc7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist...
Duplicate Advisory: Linux and macOS exec allowlists skipped configured argument patterns
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v2ww-5rh7-2h5v. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers ...
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5cj2-3jr2-5h77. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken stri...
Duplicate Advisory: Active Memory write scope could mutate global config
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-x629-46cc-7xgw. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows...
Duplicate Advisory: Workspace .env npm_execpath could influence bundled runtime dependency install
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-24vr-rprv-67rf. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env...
Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-68xw-r643-9p5w. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispat...
Duplicate Advisory: Slack reaction events could ignore reaction notification settings
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fcvx-5cxc-v5p8. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the...
Duplicate Advisory: Focus command could miss controlScope enforcement
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mpc8-jxjh-qpgh. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows...
Duplicate Advisory: Discord allowFrom could bind to mutable display names
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cw4q-gqg5-g38h. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validat...
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cwpp-5962-q4f6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute...
Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q99w-vh6v-q3v7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device...
Duplicate Advisory: memory-wiki shared search could miss session visibility checks
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-72fw-cqh5-f324. This link is maintained to preserve external references. Original DescriptionOpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows...
Duplicate Advisory: Exported session HTML could keep unsafe markdown links
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w9hf-3pp7-pvxv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsaf...
Duplicate Advisory: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fq9j-vw4w-fr6v. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to...
Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rjxq-qqhf-8hwh. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwar...
Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles
Summary Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who ow...
Caddy: stripHTML template function bypass
Summary Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow...
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
Summary forwardauth copyheaders deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through phpfastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with . This lets a client send an underscor...
Caddy: Windows `file_server` path authorization bypass via encoded backslash
Summary On Windows, Caddy path matchers treat /private\secret.txt as outside /private/, but fileserver later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can request /private%5csecret.txt and bypass Caddy path-scoped auth/deny routes protecting...
yt-dlp: Arbitrary code execution via manifest downloads with aria2c
Summary If aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code...
Daytona: Public sandbox previews remain accessible for up to one hour after being made private
Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. Impact When a sandbox owner changed a preview from...
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
Summary There is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact,...
Crawl4AI: SSRF via proxy settings in the Docker server bypasses the crawl-URL SSRF check
Summary The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while usin...
Crawl4AI: Arbitrary file write (symlink/TOCTOU) plus log and webhook-header injection in Docker server
Summary Three backward-compatible hardening fixes in the Docker API server. The headline issue is an arbitrary file write via the screenshot/PDF outputpath. 1. Arbitrary file write via outputpath symlink / TOCTOU primary POST /screenshot and POST /pdf accept an outputpath constrained to...
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution
Summary The Docker API server let a request control where LLM calls were sent and which environment variable an LLM token resolved from. Both could be abused to exfiltrate server-held secrets. The Docker API is unauthenticated by default. Vector 1 - attacker baseurl /md, /llm, and /llm/job accept...
Crawl4AI: SSRF filter bypass in Docker server via IPv6 transition forms (NAT64 / 6to4 / unspecified / v4-mapped)
Summary The Docker API server's SSRF protection validatewebhookurl / validateurldestination in deploy/docker/utils.py used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata endpoints e.g. 169.254.169.254 despite...
yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files such as .desktop, .url, .webloc to the user's filesystem, bypassing the remediation for CVE-2024-38519. Details The fix for CVE-2024-38519 enforced an allowlist for file extensions, in orde...
yt-dlp: File Downloader cookie leak with curl
Summary If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is...
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Unauthenticated SSRF in /webapi/proxy allows anyone to proxy requests and inject cookies on lobehub.com Summary The /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. This is the same proxy code that was vulnerable in...
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Summary Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration. Vulnerabilities 1. Arbitrary File Write via /screenshot and /pdf CWE-22, CVSS 9....
Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
Summary The safeevalexpression function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes giframe, fback, fbuiltins do NOT start with underscore, enabling a complete sandbox escape to achieve...
Hugo: Symlink confinement bypass in resources.Get
Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mount...
Hugo: security.http.urls allow-list bypass via HTTP redirects
Commit: 86fbb0f7a8 — security: Validate redirects against security.http.urls Affected versions: v0.91.0 when security.http.urls was introduced through v0.161.1. Fixed in: v0.162.0. Severity: Only relevant for sites that rely on security.http.urls as a trust boundary — e.g. CI builds that fetch...
Hugo: XSS via text/html content files
Commit: e41a06447d — Disallow HTML content by default Affected versions: all Hugo versions prior to v0.162.0. Fixed in: v0.162.0. Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load. Description. Hugo...
Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)
Summary Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different...
Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions
Summary When Deno was run in BYONM mode nodeModulesDir: "manual", the module resolver did not validate that a package's resolved entrypoint stayed within its nodemodules// directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk,...
Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks
Summary Deno's network permission model is designed so that --deny-net rules apply to the resolved IP address of a destination, not just the literal string supplied by the caller. That means --deny-net=127.0.0.1 or --deny-net=127.0.0.0/8 is expected to block any attempt to reach loopback,...
Deno: Miller-Rabin Primality Test Allows Zero Rounds
Summary node:crypto.checkPrimecandidate, options, callback and crypto.checkPrimeSynccandidate, options ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied to the candidate was trial division by the primes up to 17,863. Any...
Deno: Command Injection via spawnSync & spawn on Windows
Summary Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.exe metacharacters such as &, |, , ^, !, , , and did not neutralize %...
Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access
Summary In Deno, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile the Node-compatible...
Deno: WebSocket API sandbox bypass via missing post-DNS check
Summary When a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a...
Deno: `fetch()` API sandbox bypass via missing DNS resolution check
Summary When fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP,...
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
Summary There is a high severity vulnerability in Traefik's domain-fronting protection SNICheck that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard host rule such as Host.example.com with stricter TLS options for...
n8n: Merge Node SQL Mode Prototype Pollution
Impact An authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node's SQL Query mode. Because the sandbox context was cached and reused across all workflow executions on the instance, prototype mutations introduced by one user's workflow...
n8n: Prototype Pollution enables confused-deputy execution via public webhooks
Impact A prototype pollution vulnerability allowed a crafted public webhook payload to inject attacker-controlled fields into workflow data during internal object copying. These fields could be surfaced and consumed as normal values by downstream built-in nodes. Where a workflow combines a public...
n8n: Same-Origin XSS in Respond to Webhook Node
Impact An authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type. The binary response path bypassed the central Content-Security-Policy sandbox header, allowing a public webhook to execute JavaScript ...
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
Impact The MicrosoftAgent365Trigger and StripeTrigger node did not validate that inbound requests. As a result, an unauthenticated attacker who knows the webhook URL could submit a forged payload and cause the workflow to execute with attacker-controlled data. Patches The issue has been fixed in...
n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint
Impact The POST /workflows/workflowId/test-runs/new endpoint authorized access using workflow:read rather than workflow:execute. An authenticated user with read-only access to a workflow could trigger a real evaluation test run, causing the workflow to execute via the internal workflow runner. Th...
n8n: NoSQL Injection in MongoDB Node Find And Replace Operation
Impact An authenticated user with workflow edit access could supply a malicious filter value in the MongoDB node's Find And Replace operation. The value was not validated before being passed to MongoDB as a query filter, allowing unintended documents to be matched and overwritten with...
n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes
Impact An authenticated user with permission to create or modify workflows could supply a crafted parameters to the TimescaleDB and/or legacy Postgres v1 node's allowing arbitrary SQL to be injected and executed against the connected database within the privileges of the configured database...