Lucene search
K
GithubRecent

33181 matches found

Github Security Blog
Github Security Blog
added 2026/04/02 9:32 p.m.6 views

Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references. Original Description OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protecti...

5.4CVSS6.1AI score0.00303EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:32 p.m.6 views

Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h3x4-hc5v-v2gm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment...

7.6CVSS5.9AI score0.0026EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:24 p.m.10 views

OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)

Summary Security Scan Failure Does Not Block Plugin Installation Fail-Open Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an...

5.1CVSS5.8AI score0.00231EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:23 p.m.12 views

OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host

Summary SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: Real in shipped v2026.3.28: SSH sandbox tar upload lacked pre-upload symlink escape rejection until 3d5af14984 on...

8.1CVSS6AI score0.00533EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:22 p.m.11 views

OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery

Summary SSRF via Unguarded fetch in Marketplace Plugin Download and Ollama Model Discovery Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Keep the shipped marketplace archive-fetch SSRF, but narrow out the Ollama half because it is operator-configured and...

7.6CVSS5.9AI score0.00223EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:1 p.m.11 views

OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes

Summary SSH-based sandbox backends pass unsanitized process.env to child processes Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:1 p.m.8 views

OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API

Summary MSTeams thread history bypasses sender allowlist via Graph API Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 MS Teams because Graph-fetched thread history bypasses sender allowlists, with unreleased mainline filtering fix...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:1 p.m.12 views

OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification

Summary LINE webhook handler lacks shared pre-auth concurrency budget before signature verification Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is...

6.9CVSS5.9AI score0.00459EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:0 p.m.9 views

OpenClaw: Matrix thread root and reply context bypass sender allowlist

Summary Matrix thread root and reply context bypass sender allowlist Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix...

6.5CVSS5.8AI score0.00157EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:0 p.m.9 views

OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code

Summary Workspace .env can override the bundled hooks root and load attacker hook code Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: v2026.3.28 still lets workspace .env override OPENCLAWBUNDLEDHOOKSDIR, which can replace trusted default-on bundled hooks from ...

8.5CVSS5.9AI score0.00133EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:59 p.m.8 views

OpenClaw: Feishu thread history and quoted messages bypass sender allowlist

Summary Feishu thread history and quoted messages bypass sender allowlist Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 Feishu because fetched quoted/root/thread context bypasses sender allowlists, and SECURITY.md does not exempt...

5.4CVSS5.9AI score0.00225EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:59 p.m.14 views

OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation

Summary Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Current Maintainer Triage - Status: open - Normalized severity: Critical Affected Packages / Versions - Package: openclaw npm - Latest published npm version: 2026.3.31 - Vulnerable version range: = 2026.3.31 - Fir...

9.9CVSS5.8AI score0.00298EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:59 p.m.8 views

OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass

Summary Zalo webhook replay cache cross-target messageId scope bypass Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: v2026.3.28 replay dedupe is still keyed too broadly, but the issue should stay scoped to authenticated sibling-target delivery paths rather tha...

5.4CVSS6AI score0.00266EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:58 p.m.18 views

OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get

Summary OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still models Nostr privateKey as plain string so config views can expose it, and the secret-schema f...

7.1CVSS5.9AI score0.00207EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:57 p.m.39 views

OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic

Summary PIPINDEXURL and UVINDEXURL bypass host exec env sanitization and redirect Python package-index traffic Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still allows Python package-index env redirection through host exec, but scope should stay...

6.1CVSS6AI score0.00125EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:57 p.m.6 views

OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection

Summary Voice-call Plivo replay mutates in-process callback origin before replay rejection Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: v2026.3.28 can still mutate Plivo callback origin before replay rejection, but this needs a captured valid callback for a...

6.3CVSS5.9AI score0.00229EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:46 p.m.7 views

OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes

Summary Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still gives auth:"plugin" routes operator WRITESCOPE, but impact should stay limited to plugin routes that actually tou...

8.8CVSS5.9AI score0.00286EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:44 p.m.4 views

Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization

The restoreTenant admin mutation is missing from the authorization middleware config admin.go:499-522, making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts...

10CVSS6AI score0.00452EPSS
Exploits1References5Affected Software3
Github Security Blog
Github Security Blog
added 2026/04/02 8:37 p.m.7 views

fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

Summary The fix for GHSA-c2ff-88x2-x9pg CVE-2023-48223 is incomplete. The publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that the CVE patched. Details The f...

9.1CVSS6.3AI score0.00687EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:36 p.m.10 views

Rack::Request accepts invalid Host characters, enabling host allowlist bypass

Summary Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be...

6.5CVSS5.9AI score0.00192EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:36 p.m.11 views

Rack has Content-Length mismatch in Rack::Files error responses

Summary Rack::Filesfail sets the Content-Length response header using Stringsize instead of Stringbytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the...

6.5CVSS5.8AI score0.00147EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:35 p.m.8 views

Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

Summary Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...

7.5CVSS5.8AI score0.00209EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:34 p.m.9 views

Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads

Summary Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size...

7.5CVSS5.9AI score0.00369EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:32 p.m.7 views

Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory

Summary Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, , or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem pa...

5.3CVSS5.9AI score0.0024EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:32 p.m.7 views

Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

Summary Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted...

7.5CVSS6.6AI score0.0043EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:31 p.m.11 views

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Summary Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack as...

6.5CVSS5.9AI score0.00179EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:31 p.m.7 views

Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values

Summary Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result,...

6.5CVSS5.8AI score0.00227EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:30 p.m.11 views

Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.

Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...

5.3CVSS5.9AI score0.00253EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 8:30 p.m.6 views

Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters

Summary Rack::Multipart::Parserhandlemimehead parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated Stringindex searches combined with Stringslice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticat...

7.5CVSS5.8AI score0.00475EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 7:7 p.m.6 views

Rack's multipart byte range processing allows denial of service via excessive overlapping ranges

Summary Rack::Utils.getbyteranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many...

7.5CVSS6.6AI score0.0038EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 6:44 p.m.5 views

Rack:: Static header_rules bypass via URL-encoded paths

Summary Rack::Staticapplicablerules evaluates several headerrules types against the raw URL-encoded PATHINFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers...

5.3CVSS5.9AI score0.00195EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 6:44 p.m.4 views

Rack::Static prefix matching can expose unintended files under the static root

Summary Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or...

7.5CVSS5.9AI score0.00387EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 6:36 p.m.7 views

Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Impact A supply chain attack on the axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency [email protected] that deploys a cross-platform remote access trojan RAT on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm...

6.1AI score
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 6:34 p.m.13 views

Axios npm Supply Chain Incident Impacting @usebruno/cli

Impact This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran npm install between 00:21 UTC and 03:30 UTC on March 31, 2026 may have been...

9.8CVSS5.9AI score0.00234EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 6:31 p.m.8 views

Krayin CRM is vulnerable to Cross-site Scripting (XSS)

A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the...

5.1CVSS4.4AI score0.00203EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 3:31 p.m.6 views

Agno is vulnerable to Eval Injection

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

9.8CVSS6.8AI score0.00852EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 3:31 p.m.7 views

Keycloak: Application-Level DoS via Scope Processing

A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect OIDC token endpoint. This leads to high resource consumption and prolonged processing times, ultimate...

7.5CVSS5.9AI score0.00523EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 3:31 p.m.10 views

Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable access tokens,...

7.4CVSS5.9AI score0.00424EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 3:31 p.m.43 views

Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants

A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...

8.1CVSS5.9AI score0.00346EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 3:31 p.m.107 views

Keycloak: Replay of action tokens via improper handling of single-use entries

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This...

5.3CVSS6AI score0.0025EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 3:31 p.m.18 views

Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers URIs that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information...

7.3CVSS5.8AI score0.0044EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 12:31 p.m.6 views

fast-filesystem-mcp is vulnerable to command injection through handleGetDiskUsage function

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been...

6.5CVSS5.6AI score0.0111EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 9:30 a.m.7 views

a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function

A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local position. The exploit has been made public and could be use...

5.3CVSS5.4AI score0.0013EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/02 12:3 a.m.9 views

Juju has Improper TLS Client/Server authentication and certificate verification on Database Cluster

Impact Any Juju controller since 3.2.0. An attacker with only route-ability to the target juju controller Dqlite cluster endpoint may join the Dqlite cluster, read and modify all information, including escalating privileges, open firewall ports etc. This is due to not checking the client...

10CVSS5.9AI score0.00381EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 11:58 p.m.7 views

mcp-handler has a tool response leak across concurrent client sessions ('Race Condition')

mcp-handler versions prior to 1.1.0 accepted @modelcontextprotocol/sdk =1.26.0, which contains the fix for CVE-2026-25536. Workarounds - Upgrade @modelcontextprotocol/sdk to =1.26.0 note: the SDK will throw on transport reuse, which will break mcp-handler 1.1.0 which effectively forces the upgrad...

7.1CVSS6.2AI score0.00267EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 11:57 p.m.12 views

EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory

Impact Microsoft.Bcl.Memory, a transitive dependency of EnhancedLinq.Async, had a Denial of Service security vulnerability, CVE-2026-26127, thus affecting EnhancedLinq.Async versions that had vulnerable versions of Microsoft.Bcl.Memory as a transitive dependency. Patches EnhancedLinq.Async 1.0.0...

7.5CVSS5.8AI score0.02049EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 11:51 p.m.178 views

lodash vulnerable to Code Injection via `_.template` imports key names

Impact The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes untrusted input as options.imports key names, an attacker...

9.8CVSS6.1AI score0.01735EPSS
Exploits0References6Affected Software4
Github Security Blog
Github Security Blog
added 2026/04/01 11:50 p.m.43 views

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Impact Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit functions. The fix for CVE-2025-13465 only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties fro...

6.5CVSS5.9AI score0.00317EPSS
Exploits0References4Affected Software4
Github Security Blog
Github Security Blog
added 2026/04/01 11:48 p.m.9 views

listmonk's active sessions remain valid after password reset and password change

Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...

7.1CVSS6AI score0.003EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 11:44 p.m.9 views

NocoBase Has SQL Injection via template variable substitution in workflow SQL node

Summary NocoBase = 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL...

8.5CVSS6.3AI score0.00406EPSS
Exploits1References5Affected Software1
Total number of security vulnerabilities33181