Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/04/18 1:5 a.m.6 views

OpenTelemetry .NET has potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path

Summary !IMPORTANT There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023. It is for informational purposes only. OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set...

5.9CVSS5.7AI score0.00222EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/18 1:0 a.m.13 views

YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()

Vulnerability Details YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any sanitization or parameterization. Vulnerable Code...

8.8CVSS5.9AI score0.00342EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/18 1:0 a.m.13 views

Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass

Summary Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The...

9.8CVSS5.7AI score0.00809EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/18 12:59 a.m.14 views

PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.6AI score0.00191EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/18 12:55 a.m.10 views

Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment

Summary SubFileSystem fails to confine operations to its declared sub path when the input path is /../ or equivalents /../, /..\. This path passes all validation but resolves to the root of the parent filesystem, allowing directory level operations outside the intended boundary. Affected Componen...

5.7AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/18 12:46 a.m.10 views

Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability

ZDI-CAN-29412: FlowiseAI Flowise AirtableAgent Code Injection Remote Code Execution Vulnerability Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise -- VULNERABILITY DETAILS ------------------------ Version tested: 3.0.13 Installer...

9.8CVSS6.8AI score0.00464EPSS
Exploits1References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/18 12:42 a.m.11 views

Zebra: addr/addrv2 Deserialization Resource Exhaustion

CVE-2026-40881: addr/addrv2 Deserialization Resource Exhaustion Summary When deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length over 233,000 that was derived from the 2 MiB message size limit. This is much larger th...

7.5CVSS5.7AI score0.00263EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/18 12:41 a.m.11 views

Zebra: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks

CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks Summary A logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid fo...

8.1CVSS5.8AI score0.00261EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/17 10:33 p.m.8 views

elFinder: Command injection in resize background color parameter when using ImageMagick CLI

Severity High bg can be injected into shell command construction, leading to possible RCE in affected configurations. Summary elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image...

9.8CVSS6.1AI score0.01567EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:33 p.m.8 views

OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths

Summary The QMD backend memoryget read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. Impact When the QMD backend was enabled, a caller with access to memoryget could read arbitrary .md files...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:33 p.m.9 views

OpenClaw: Webchat media embedding enforces local-root containment for tool-result files

Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows...

6.3CVSS5.7AI score0.00264EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:32 p.m.11 views

OpenClaw: Feishu webhook and card-action validation now fail closed

Summary Feishu webhook mode accepted missing encryptKey configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments. Impact A...

9.8CVSS5.7AI score0.00718EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:32 p.m.9 views

OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries

Summary Matrix room control-command authorization used the effective allowlist for room traffic, which included sender IDs learned from the Matrix DM pairing store. A sender who was allowed only for a Matrix DM could therefore authorize room control commands when they also posted in a bot room...

8.8CVSS5.6AI score0.00288EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:32 p.m.15 views

OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation

Summary Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart. Impact A bearer token that should have been revoked by SecretRe...

9.8CVSS5.7AI score0.0054EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:31 p.m.14 views

Remote Code Execution (RCE) via String Literal Injection into math-codegen

Impact String literal content passed to cg.parse is injected verbatim into a new Function body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flo...

9.8CVSS6.1AI score0.00393EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:31 p.m.10 views

go-git: Credential leak via cross-host redirect in smart HTTP transport

Impact go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and...

7.4CVSS5.8AI score0.00259EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/17 10:30 p.m.9 views

Kimai: Username enumeration via timing on X-AUTH-USER

Details src/API/Authentication/TokenAuthenticator.php calls loadUserByIdentifier first and only invokes the password hasher argon2id when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:24 p.m.10 views

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

The fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass tableprefix straight into f-string SQL. Same root cause, same code pattern, same exploitation...

9.8CVSS5.9AI score0.00347EPSS
Exploits2References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/17 10:23 p.m.9 views

PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection

Summary The fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parsemcpcommand, allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. Affected Package - Ecosystem: PyP...

9.8CVSS6.9AI score0.00824EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:21 p.m.7 views

OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR

Summary A flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation...

8.4CVSS5.9AI score0.00194EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:21 p.m.10 views

yard: Possible arbitrary path traversal and file access via yard server

Impact A path traversal vulnerability was discovered in YARD = 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch in GHSA-xfhh-rx56-rxcr wa...

7.5CVSS5.9AI score0.00388EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:20 p.m.10 views

Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

8.1CVSS5.7AI score0.00325EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:19 p.m.9 views

Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows

On Windows, Claude Code loaded system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory...

7.3CVSS5.8AI score0.00108EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:18 p.m.9 views

OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets

Summary CDP /json/version WebSocket URL could pivot to untrusted second-hop targets. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 Impact A browser profile could trust a CDP /json/version response whose webSocketDebuggerUrl pointed at a differen...

7.7CVSS5.7AI score0.00265EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:17 p.m.9 views

OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure

Summary OpenClaw's outbound host-media attachment read helper could enable host-local file reads based on global or agent-level read access without also honoring sender and group-scoped tool policy. In channel deployments that used toolsBySender or group policy to deny read for less-trusted...

7.7CVSS5.7AI score0.00236EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:17 p.m.8 views

OpenClaw: QQBot media tags could read arbitrary local files through reply text

Summary QQBot media tags could read arbitrary local files through reply text. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact QQBot outbound media tags in AI reply text could reference host-local paths outside the intended media storage...

8.9CVSS5.8AI score0.00369EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:16 p.m.26 views

OpenClaw: busybox and toybox applet execution weakened exec approval binding

Summary busybox and toybox applet execution weakened exec approval binding. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.2.23 = 2026.4.12 Impact Opaque multi-call binaries such as busybox and toybox could obscure which applet or script-like behavio...

8.8CVSS5.9AI score0.00356EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:15 p.m.10 views

OpenClaw: Matrix profile config persistence was reachable from operator.write message tools

Summary Matrix profile config persistence was reachable from operator.write message tools. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Gateway operator.write message-tool paths could reach Matrix profile persistence that should have...

7.1CVSS5.7AI score0.00295EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:14 p.m.8 views

OpenClaw: Sandboxed agents could escape exec routing via host=node override

Summary Sandboxed agents could escape exec routing via host=node override. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 = 2026.4.10 Impact A sandboxed agent could request host: "node" and route exec to a remote node instead of the intended...

8.8CVSS5.9AI score0.00347EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:14 p.m.13 views

OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage

Summary Browser press/type interaction routes missed complete navigation guard coverage. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF...

7.7CVSS5.7AI score0.00264EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:14 p.m.13 views

OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads

Summary Browser interaction routes could pivot into local CDP and regain file reads. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.9 Impact Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or rea...

5.7AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:12 p.m.12 views

OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins

Summary Workspace provider auth choices could auto-enable untrusted provider plugins. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.9 Impact Non-interactive onboarding could select a provider auth choice shadowed by an untrusted workspace plugin,...

8.8CVSS5.7AI score0.00381EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:11 p.m.12 views

OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement

Summary Existing-session browser interaction routes bypassed SSRF policy enforcement. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Existing-session browser interaction routes could continue interacting with or navigating targets without...

7.7CVSS5.7AI score0.00253EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:1 p.m.17 views

OpenClaw: Browser tabs action select and close routes bypassed SSRF policy

Summary Browser tabs action select and close routes bypassed SSRF policy. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact The browser /tabs/action select and close branches could operate on targets without enforcing configured browser SSRF...

8.5CVSS5.7AI score0.00242EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 10:0 p.m.8 views

OpenClaw: Nostr profile mutation routes allowed operator.write config persistence

Summary Nostr profile mutation routes allowed operator.write config persistence. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin...

5.7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:59 p.m.8 views

OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0

Summary Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intende...

5.7AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:58 p.m.12 views

OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows

Summary Channel setup catalog lookups could include untrusted workspace plugin shadows. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Channel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-ti...

8.8CVSS5.7AI score0.00386EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:58 p.m.12 views

OpenClaw: screen_record outPath bypassed workspace-only filesystem guard

Summary screenrecord outPath bypassed workspace-only filesystem guard. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact The node-host screen recording tool could honor an outPath outside the workspace guard, allowing an authorized tool call...

7.1CVSS5.7AI score0.0022EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:58 p.m.10 views

OpenClaw: Browser SSRF policy default allowed private-network navigation

Summary Browser SSRF policy default allowed private-network navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.14 Impact Browser SSRF protection could allow private-network navigation by default in paths where restrictive behavior was...

7.7CVSS5.7AI score0.0028EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:58 p.m.8 views

OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding

Summary Browser SSRF hostname validation could be bypassed by DNS rebinding. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Browser navigation policy could validate a hostname/IP resolution that differed from the address Chromium ultimate...

6.3CVSS5.7AI score0.00199EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:57 p.m.13 views

OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes

Summary QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.12 Impact QQBot reply media URLs could be treated as trusted media sources, allowing SSRF fetches whose returned...

9.3CVSS5.7AI score0.00251EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:56 p.m.11 views

OpenClaw: Workspace .env could inject OpenClaw runtime-control variables

Summary Workspace .env could inject OpenClaw runtime-control variables. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.9 Impact A malicious workspace .env file could set OpenClaw runtime-control variables affecting update sources, gateway URLs,...

8.8CVSS5.7AI score0.00203EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:56 p.m.14 views

OpenClaw: Discord event cover images bypassed sandbox media normalization

Summary Discord event cover images bypassed sandbox media normalization. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.10 Impact Discord event cover image parameters could bypass the sandbox media normalization path used for outbound...

7.7CVSS5.7AI score0.00259EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:55 p.m.8 views

OpenClaw: Empty approver lists could grant explicit approval authorization

Summary Empty approver lists could grant explicit approval authorization. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.12 Impact For helper-backed channels, an empty resolved approver list could be interpreted as explicit approval authorization,...

6.5CVSS5.7AI score0.00244EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:55 p.m.26 views

OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input

Summary Agent hook events could enqueue trusted system events from unsanitized external input. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Agent hook dispatch could turn externally supplied hook metadata into trusted system events,...

9.8CVSS5.7AI score0.0019EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:54 p.m.7 views

OpenClaw: Exec environment denylist missed high-risk interpreter startup variables

Summary Exec environment denylist missed high-risk interpreter startup variables. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact The exec environment policy missed interpreter startup variables such as VIMINIT, EXINIT, LUAINIT, and...

8.8CVSS5.9AI score0.00392EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:53 p.m.10 views

OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms

Summary Shell-wrapper detection missed env-argv assignment injection forms. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.2.22 = 2026.4.12 Impact Exec preflight handling missed shell-wrapper and argv-level environment assignment forms that could...

8.8CVSS5.9AI score0.00407EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:53 p.m.14 views

OpenClaw: Memory dreaming config persistence was reachable from operator.write commands

Summary Memory dreaming config persistence was reachable from operator.write commands. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 = 2026.4.10 Impact A write-scoped gateway path could toggle persistent memory dreaming settings through /dreamin...

7.1CVSS5.7AI score0.00213EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:51 p.m.22 views

OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks

Summary Microsoft Teams SSO invoke handler missed sender authorization checks. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 = 2026.4.14 Impact Microsoft Teams SSO signin invoke handling could process an invoke from a sender before applying the...

6.3CVSS5.7AI score0.00231EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/17 9:50 p.m.4 views

OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay

Summary Delivery queue recovery could lose group tool-policy context for media replay. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 = 2026.4.14 Impact Recovered queued outbound media could be replayed without the original session context neede...

6.5CVSS5.7AI score0.00214EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities33225