Reflected cross-site scripting in Thecs through version 1.4.7 enables attackers to inject malicious scripts that execute in users' browsers when they click specially crafted links, potentially compromising session data and user credentials. The vulnerability requires user interaction and affects all versions up to 1.4.7, with no patch currently available. An attacker can exploit this to steal sensitive information or perform actions on behalf of affected users.
Reflected cross-site scripting in TheBi through version 1.0.5 enables attackers to inject malicious scripts that execute in users' browsers when they click on specially crafted links. This vulnerability requires user interaction but can lead to session hijacking, credential theft, or malware distribution across trusted domains. No patch is currently available for affected installations.
OpenClaw versions before 2026.2.12 suffer from a path traversal vulnerability in transcript file handling that allows authenticated local users to read and modify arbitrary files on the system by injecting directory traversal sequences into sessionId or sessionFile parameters. An attacker with local access can exploit this to access sensitive files outside the intended agent sessions directory without additional privileges. No patch is currently available for this vulnerability.
OpenClaw versions before 2026.2.14 fail to properly validate OAuth state parameters in the Chutes login flow, allowing attackers to bypass CSRF protections and hijack user sessions. An attacker can trick a user into pasting malicious OAuth callback data to gain unauthorized access and maintain persistent tokens under a compromised account. No patch is currently available for this high-severity vulnerability.
Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 7.1 HIGH]
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.