33187 matches found
netavark has incorrect error handling for malformed tcp packets
Impact A truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU. Patches https://github.com/containers/aardvark-dns/commit/3b49ea7b38bdea134b7f03256f2e13f44ce73bb1 Workarounds None Credits Thanks to @dkane01 for reporti...
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit...
OpenViking contains a missing authorization vulnerability in the task polling endpoints
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...
Apache Cassandra has an authenticated DoS over CQL
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue...
Apache Cassandra has sensitive Information Leak in cqlsh
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via /.cassandra/cqlshhistory local file access. Users are recommended to upgrade to version 4.0.20, which fixes this issue. -- Description:...
Apache Cassandra is vulnerable to privilege escalation in an mTLS environment using MutualTlsAuthenticator
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are...
yaffa vulnerable to Cross Site Scripting
yaffa v2.0.0 is vulnerable to Cross Site Scripting XSS. An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page...
Memory-safety vulnerability in github.com/jackc/pgx/v5.
Memory-safety vulnerability in github.com/jackc/pgx/v5...
pgx contains memory-safety vulnerability
pgx is a pure Go driver and toolkit for PostgreSQL. pgx prior to v5.9.0 contains a memory-safety vulnerability...
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags
Summary The fix for ExifTool arbitrary file write commit 043b158, released in v8.29.0 uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the HardLink and SymLink...
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
Summary Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely. Details Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns...
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
Summary Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext ws:// gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint. Impact A user who followed a forged...
OpenClaw: Shared-secret comparison call sites leaked length information through timing
Summary Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences. Impact The affected paths exposed a...
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. Impact Cross-conversation or cross-sender collisions could cau...
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
Summary Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as localhost. and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost. Impact A hostile discovery respons...
OpenClaw: pnpm dlx approvals did not bind local script operands
Summary Before OpenClaw 2026.4.2, pnpm dlx approval planning did not bind local script operands the same way as related pnpm exec flows. A local script approved through a pnpm dlx path could be replaced before execution without invalidating the approval. Impact An operator could approve a benign...
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding
Summary Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time. Impact An approved command could run with...
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
Summary Before OpenClaw 2026.4.2, the Gateway connect success snapshot exposed local configPath and stateDir metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role. Impact A non-admin client...
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
Summary Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled. Impact A...
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
Summary Before OpenClaw 2026.4.2, POST /sessions/:sessionKey/kill did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session. Impact A read-scoped caller could perform a write-class control-plane...
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Summary Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check. Impact A loaded attacker-controlled page...
OpenClaw: QQ Bot structured payloads could read arbitrary local files
Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. Impact Prompt-influenced structured payload output could exfiltrate...
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped
Summary Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute remoteWorkspaceDir and remoteAgentWorkspaceDir values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations. Impact If an attacker could influence those...
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets
Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Summary Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account. Impact This issue...
OpenClaw: Forged Nostr DMs could create pairing state before signature verification
Summary Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection. Impact An unauthenticated remote sender could consume...
OpenClaw: Shell init-file options could satisfy exec allowlist script matching
Summary Before OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as --rcfile, --init-file, and --startup-file could therefore inherit allowlist trust from a matched script path even...
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup
Summary OpenShell mirror mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped = 2026.3.28 - First stable tag...
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send
Summary Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Telegram config or cron persistence bug, but it is an authenticated...
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations
Summary sessionstatus still bypasses configured tools.sessions.visibility for unsandboxed invocations Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped v2026.3.22: non-sandboxed sessionstatus skipped the shared visibility guard, but this is a...
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
Summary Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow...
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
Summary Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real shipped malicious-workspace-config env injection in the CLI backend runner, fixed by sanitizing backend...
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection
Summary Marketplace Plugin Download Follows Redirects Without SSRF Protection Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still uses bare redirect-following fetch in src/plugins/marketplace.ts for marketplace archives, and fixed-on-main only doe...
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk
Summary Tlon media downloads can bypass core safety limits and exhaust disk Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 Tlon media downloads bypassed core size/count/cleanup limits, but this is availability-only resource exhaustion in a...
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
Summary /phone arm//phone disarm Bypasses operator.admin Scope Check for External Channels Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped...
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
Description In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement. Am I affected? You are affected if you meet the following preconditions: 1. You execute BatchCheck operation...
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
Summary @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to mak...
Electron: Crash in clipboard.readImage() on malformed clipboard image data
Impact Apps that call clipboard.readImage may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected...
Electron: Named window.open targets not scoped to the opener's browsing context
Impact When a renderer calls window.open with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If...
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
Summary The attributefilter in the Lupa library is intended to restrict access to sensitive Python attributes when exposing objects to Lua. However, the filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to...
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
Summary OpenIdentityPlatform OpenAM 16.0.5 and likely earlier versions is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the...
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGIRequest allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants with hyphens or with underscores to a single version with underscores. Earlier, unsupported Django...
Django vulnerable to privilege abuse in GenericInlineModelAdmin
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged POST data in GenericInlineModelAdmin. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated a...
Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation
A flaw was found in Open Cluster Management OCM, the technology underlying Red Hat Advanced Cluster Management ACM. Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This...
Django vulnerable to privilege abuse in ModelAdmin.list_editable
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Admin changelist forms using ModelAdmin.listeditable incorrectly allowed new instances to be created via forged POST data. Earlier, unsupported Django series such as 5.0.x, 4.1.x, and 3.2.x were not evaluated a...
Django has potential DoS via MultiPartParser through crafted multipart uploads
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads with Content-Transfer-Encoding: base64 including excessive whitespace. Earlier, unsupported Django series such as...
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated Content-Length header could bypass the DATAUPLOADMAXMEMORYSIZE limit when reading HttpRequest.body, allowing remote attackers to load an unbounded request body into...
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...
Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is...
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...