33225 matches found
OpenClaw: Heartbeat owner downgrade missed local async exec completion events
Summary Heartbeat owner downgrade missed local async exec completion events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.3.31 = 2026.4.10 Impact Local background exec completion text could be missed by heartbeat owner-downgrade detection, leaving ...
OpenClaw: Voice-call realtime WebSocket accepted oversized frames
Summary Voice-call realtime WebSocket accepted oversized frames. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.9 = 2026.4.10 Impact The voice-call realtime WebSocket path could accept oversized frames, creating a remote availability risk for...
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
Summary Heartbeat owner downgrade missed untrusted webhook wake events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.14 Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving...
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
Summary Browser snapshot and screenshot routes could expose internal page content after navigation. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.14 Impact Authenticated browser tool callers could use snapshot, screenshot, or tab routes that did n...
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
Summary config.get redaction bypass through sourceConfig and runtimeConfig aliases. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.14 Impact An authenticated gateway client with config read access could receive unredacted secrets through alias fiel...
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context
Summary Collect-mode queue batches could reuse the last sender authorization context. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.14 Impact Collect-mode queued messages from different senders could be drained as one batch using the final sender'...
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
Summary The text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential e.g., OpenAI or...
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
Summary The GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image...
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
Summary A Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the service uses repository.save with a client-supplied primary key, the POST create endpoint behave...
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Executive Summary This report documents a critical security research finding in the compressing npm package specifically tested on the latest v2.1.0. The core vulnerability is a Partial Fix Bypass of CVE-2026-24884. The current patch relies on a purely logical string validation within the...
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes
OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the apikey configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke...
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures
Summary The readonly mode in mcp-neo4j-cypher versions prior to 0.6.0 can be bypassed using CALL procedures. Details Impact The enforcing of readonly mode in vulnerable versions could be bypassed by certain APOC procedures. Patches v0.6.0 release hardened the checks around the mode. The only way ...
Sentry: Improper authentication on SAML SSO process allows user identity linking
Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same...
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Summary An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the MAINODTASPDF configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the ex...
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials
Summary Sandbox noVNC helper route exposed interactive browser session credentials. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.2.21 = 2026.4.10 Impact The sandbox noVNC helper route could be reached without the intended bridge authentication,...
Bouncy Castle Has Covert Timing Channel Vulnerability
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all core modules. This vulnerability is associated with program files FrodoEngine.Java. This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations. This issue affects...
Bouncy Castle has an LDAP injection
Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all prov modules. This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84...
Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks
The GOST 28147-2015 CTR mode implementation G3413CTRBlockCipher in the Legion of the Bouncy Castle BC-JAVA bcprov core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe...
Bouncy Castle Uncontrolled Resource Consumption vulnerability
Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all pg modules. This issue affects BC-JAVA before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion...
PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability
PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...
Craftql vulnerable to Server-Side Request Forgery
Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...
Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace
Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...
Mattermost doesn't validate CSRF tokens on an authentication endpoint
Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost...
goldmark vulnerable to Cross-site Scripting (XSS)
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting XSS due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check IsDangerousURL before resolving HTML entities...
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessions via concurrent...
HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations
Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This...
HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization
If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16...
HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS
Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0,...
HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service
An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret...
Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)
Summary Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes \ to forward slashes / for special schemes, a payload such as /\evil.com/path slips through isrelativeurl, is emitted unchanged in t...
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding
Summary langchain-openai's urltosize helper used by getnumtokensfrommessages for image token counting validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostnam...
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass
Summary HTMLHeaderTextSplitter.splittextfromurl validated the initial URL using validatesafeurl but then performed the fetch with requests.get with redirects enabled the default. Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to...
Plonky3: The sponge construction used to get a hash function from a cryptographic permutation is not collision resistant for inputs of different lengths
Vulnerability Currently, when hashing, if the number of elements to hash is not a multiple of the rate, hashiter pads by elements of the current state. This means that it is possible to create iterators of different lengths which lead to an identical hashed state. Given a simple example using a...
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Summary A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and...
Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)
Summary Meridian v2.1.0 Meridian.Mapping and Meridian.Mediator shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Mapsource, destination...
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise
Summary The GET, POST, and DELETE handlers under /agents/:id/keys in the Paperclip control-plane API only call assertBoardreq, which verifies that the caller has a board-type session but does not verify that the caller has access to the company owning the target agent. A board user whose membersh...
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
Summary MarkdownBody, the shared component used to render every Markdown surface in the Paperclip UI issue documents, issue comments, chat threads, approvals, agent details, export previews, etc., passes urlTransform=url = url to react-markdown. That override replaces react-markdown's built-in...
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server
Summary The approval-resolution endpoints POST /approvals/:id/approve, /reject, /request-revision accept a client-supplied decidedByUserId field in the request body and write it verbatim into the authoritative approvals.decidedByUserId column — without cross-checking it against the authenticated...
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys
Isolated paperclip instance running in authenticated mode default config on a clean Docker image matching commit b649bd4 2026.411.0-canary.8, post the 2026.410.0 patch. This advisory was verified on an unmodified build. Summary POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE...
Paperclip: OS Command Injection via Execution Workspace cleanupCommand
| Field | Value | |-------|-------| | Affected Software | Paperclip AI v2026.403.0 | | Affected Component | Execution Workspace lifecycle workspace-runtime.ts | | Affected Endpoint | PATCH /api/execution-workspaces/:id | | Deployment Modes | All — localtrusted zero auth, authenticated any company...
Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email
Summary A Paperclip-managed codexlocal runtime was able to access and use a Gmail connector that I had connected in the ChatGPT/OpenAI apps UI, even though I had not explicitly connected Gmail inside Paperclip or separately inside Codex. In my environment this enabled mailbox access and a real...
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
Summary Several API endpoints in authenticated mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed. Verified against the latest version. Discord: sagi03581 Steps t...
Paperclip: Malicious skills able to exfiltrate and destroy all user data
Summary An arbitrary code execution vulnerability in the workspace runtime service allows any agent to execute shell commands on the server, exposing all environment variables including API keys, JWT secrets, and database credentials. Details A malicious skill can instruct the agent to exploit th...
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
Summary Paperclip contains a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host. An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host. The...
Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath
Summary Paperclip contains an arbitrary file read vulnerability that allows an attacker with an Agent API key to read files from the Paperclip server host filesystem. The vulnerability occurs because agents are allowed to modify their own adapterConfig through the /agents/:id API endpoint. The...
OAuth 2.1 Provider: Unprivileged users can register OAuth clients
Am I affected? You're affected if all of the following are true: - Using @better-auth/oauth-provider at version specified below - You configured clientPrivileges in the plugin options expecting it to gate who can create OAuth clients - The /oauth2/create-client or /admin/oauth2/create-client...
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
Summary The authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query paramete...
Unsafe object property setter in mathjs
Impact This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. Patches The issue was introduced in mathjs v13.1.1, an...
Authlib: Cross-site request forging when using cache
Summary There is no CSRF protection on the cache feature on most integrations clients. Details In authlib.integrations.starletteclient.OAuth, no CSRF protection is set up when using the cache parameter. When not using the cache parameter, the use of SessionMiddleware ties the client to the auth...
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
Impact A Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering SSR. When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine Express, etc. passes the URL string to Angular’s...