Denial of service in Linux kernel nexthop query handling allows local authenticated attackers to crash the kernel by querying nexthop objects with large Equal-Cost Multi-Path groups via the RTM_GETNEXTHOP netlink message. The vulnerability stems from fixed-size socket buffer allocation that overflows when processing nexthop groups exceeding approximately 512 members, triggering a kernel warning and potential system instability.
Froxlor versions prior to 2.3.6 allow authenticated resellers to bypass domain quota restrictions by attributing newly created domains to arbitrary admins through unvalidated `adminid` parameter input in the `Domains.add()` function. This vulnerability enables quota exhaustion attacks against other administrators and domain creation beyond the attacker's assigned limits, with confirmed patch availability in version 2.3.6.
Stored cross-site scripting (XSS) in Koollab LMS courselet feature allows authenticated users to inject arbitrary JavaScript that executes in the browsers of other users with courselet access, potentially compromising account security and enabling credential theft or malicious actions on behalf of affected users. CVSS 5.4 reflects network delivery, low complexity, and limited confidentiality/integrity impact constrained by required user interaction and authenticated access.
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.
Stored Cross-Site Scripting in Gutentor plugin for WordPress up to version 3.5.5 allows authenticated contributors and above to inject malicious scripts into pages via insufficient input sanitization, executing arbitrary JavaScript in the browsers of users who view the compromised pages. The vulnerability requires contributor-level WordPress account access and user interaction (page view), resulting in limited but real risk to website content integrity and user session compromise.
A malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport.
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.
n8n-mcp v2.47.10 and earlier in HTTP transport mode logs sensitive authentication credentials and request metadata regardless of authentication outcome, allowing disclosure of bearer tokens, API keys, and JSON-RPC payloads to any system with access to server logs. While access control correctly rejects unauthenticated requests with 401 responses, the sensitive data from those rejected requests is persisted in logs before authentication is enforced, creating an information disclosure vulnerability (CWE-532) with CVSS 5.3 (low confidentiality impact). No public exploit code or active exploitation is documented; patch is available in v2.47.11.
Cache poisoning in @astrojs/node versions 9.4.4 and earlier allows unauthenticated remote attackers to poison CDN caches by sending malformed if-match headers to static asset endpoints, causing the server to return 500 errors with immutable one-year cache directives instead of the correct 412 Precondition Failed response. This vulnerability affects all subsequent requests to poisoned assets until the cache expires, breaking application functionality for legitimate users. The vulnerability is not actively exploited in the wild, but proof-of-concept exploitation is straightforward and requires only a single crafted HTTP request.
### TL;DR This vulnerability affects all Kirby sites where users have the permission to create pages (`pages.create` permission is enabled) but not the permission to change the status of pages (`pages.changeStatus` permission is disabled). This can be due to configuration in the user blueprint(s), via `options` in the page blueprint(s) or via a combination of both settings. Users' Kirby sites are *not* affected if their use case does not consider the creation of published pages a malicious action. The vulnerability can only be exploited by authenticated users. ---- ### Introduction An authorization bypass allows authenticated users to perform actions they should not be allowed to perform based on their configured permissions, thereby causing a privilege escalation. The effects of an authorization bypass can include unauthorized access to sensitive information as well as unauthorized changes to content or system information. ### Impact Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). In affected releases, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. ### Patches The problem has been patched in [Kirby 4.9.0](https://github.com/getkirby/kirby/releases/tag/4.9.0) and [Kirby 5.4.0](https://github.com/getkirby/kirby/releases/tag/5.4.0). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability. In all of the mentioned releases, Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts. ### Credits Kirby thanks @offset for responsibly reporting the identified issue.
LangSmith Client SDKs in JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events, allowing sensitive LLM-generated content to leak into LangSmith platform storage despite hideOutputs/hide_outputs being enabled. Unauthenticated remote attackers can intercept or access unredacted streamed tokens if they gain visibility into run events, bypassing the intended confidentiality controls.
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to bypass session-policy controls and access restricted session information.
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.
SQL injection in CMS ALAYA 7.4.1.4 and earlier allows authenticated administrators to obtain or modify database information through the administrative interface. The vulnerability requires high-privilege access (PR:H) and carries low confidentiality, integrity, and availability impact per CVSS 4.0 scoring. No public exploit code or active exploitation has been identified at time of analysis.
DLL hijacking in EfficientLab Controlio before v1.3.95 allows local attackers with high privileges to achieve arbitrary code execution by placing a specially crafted DLL in the installation directory, leveraging weak folder permissions and the service's NT AUTHORITY\SYSTEM execution context. Real-world risk is constrained by the high privilege requirement (PR:H) and local-only attack vector; EPSS score of 0.01% and CISA SSVC framework marking exploitation as 'none' and technical impact as 'partial' indicate low current exploitation likelihood despite the RCE tag.
Froxlor versions prior to 2.3.6 fail to validate domain ownership correctly when adding full email sender aliases, allowing authenticated customers to add sender aliases for email addresses on domains belonging to other customers and subsequently send emails as those addresses via Postfix sender_login_maps authorization. The vulnerability stems from an array indexing error in EmailSender::add() that passes the local part of an email address instead of the domain to the ownership validation function, causing the check to pass for non-existent domains. No active exploitation has been confirmed at the time of analysis.
Arbitrary file write vulnerability in IBM Guardium Data Protection 12.1 allows authenticated administrative users to traverse directories and write files to arbitrary locations via specially crafted URLs containing path traversal sequences (/../). The vulnerability requires high-privilege admin credentials and network access but results in integrity compromise without requiring user interaction, making it a post-authentication privilege abuse risk for organizations running this data protection platform.
IBM Guardium Data Protection versions 12.0, 12.1, and 12.2 contain an authentication bypass vulnerability in the access management control panel that allows high-privilege users to circumvent business logic controls and modify access policies without proper authorization constraints. The vulnerability requires administrative credentials to trigger but results in unauthorized privilege escalation or policy modification within the management interface. No public exploit code or active exploitation has been identified at the time of analysis.
Improper privilege management in IBM Guardium Key Lifecycle Manager versions 4.1 through 5.1 allows remote unauthenticated attackers to achieve limited confidentiality and integrity compromise through a network attack requiring high complexity. The vulnerability stems from inadequate access control enforcement that permits elevation of privileges without authentication, affecting a widely deployed enterprise key management solution.
WebKitGTK and WPE WebKit contain an API design flaw that allows untrusted web content to bypass the WebPage::send-request signal handler and perform unapproved network operations including IP connections, DNS lookups, and HTTP requests. The vulnerability affects applications across Red Hat Enterprise Linux 6-9 that rely on this signal to control network access. A remote attacker can trigger these bypassed requests via crafted web content with only user interaction (UI:R), resulting in limited confidentiality impact (C:L) without code execution.
### Impact `melange lint --persist-lint-results` (opt-in flag, also usable via `melange build --persist-lint-results`) constructs output file paths by joining `--out-dir` with the `arch` and `pkgname` values read from the `.PKGINFO` control file of the APK being linted. In affected versions these values were not validated for path separators or `..` sequences, so an attacker who can supply an APK to a melange-based lint/build pipeline (e.g. CI that lints third-party APKs, or build-as-a-service) could cause melange to write `lint-<pkgname>-<pkgver>-r<epoch>.json` to an arbitrary `.json` path reachable by the melange process. The written file is a JSON lint report whose content is partially attacker-influenced. There is no direct code-execution path, but the write can clobber other JSON artifacts on the filesystem. The issue only affects deployments that explicitly pass `--persist-lint-results`; the flag is off by default. ### Patches Fixed in melange **v0.43.4** by validating `arch` and `pkgname` for `..`, `/`, and `filepath.Separator` before path construction in `pkg/linter/results.go` (commit [84f3b45](https://github.com/chainguard-dev/melange/commit/84f3b450ce6e472c4abb8dc4c26d0ce8ac1259ac)). ### Workarounds Do not pass `--persist-lint-results` when linting or building APKs whose `.PKGINFO` contents are not fully trusted. Running melange as a low-privileged user and confining writes to an isolated directory also limits impact. ### Credits melange thanks Oleh Konko ([@1seal](https://github.com/1seal) from [1seal.org](https://1seal.org/)) for discovering and reporting this issue.
Broken access control in Navneil Naicker ACF Galerie 4 plugin versions up to 1.4.2 allows authenticated users to modify content they should not have permission to access. The vulnerability stems from missing authorization checks in functionality protected only by authentication level, enabling privilege escalation or unauthorized data modification by low-privileged WordPress users.
Authenticated users in Rocket.Chat versions prior to 8.4.0, 8.3.2, 8.2.2, 8.1.3, 8.0.4, 7.13.6, 7.12.7, 7.11.7, and 7.10.10 can read application engine logs via the /api/apps/logs and /api/apps/:id/logs endpoints due to a typo in permission validation logic. The vulnerability allows authenticated attackers with insufficient privileges to bypass authorization checks and access sensitive logs containing partial information, with no public exploit confirmed at time of analysis.
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to manipulate files between validation and execution.
Libgcrypt before version 1.12.2 contains a bounds-check vulnerability in Dilithium signing operations where writes to a static array lack proper bounds validation, potentially causing memory corruption and integrity loss. The vulnerability affects local attackers with non-privileged access on systems running vulnerable versions 1.12.0 and 1.12.1. While the vulnerability does not involve attacker-controlled data in the array writes themselves, the missing bounds check creates an integrity and availability risk through uncontrolled memory modification.
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values.
IBM Guardium Data Protection 12.0 through 12.2 contains a security misconfiguration in the user access control panel that allows high-privilege administrators to modify integrity settings without proper authorization constraints. The vulnerability is remotely accessible and requires existing administrative credentials, resulting in limited integrity impact with no confidentiality or availability effect. CVSS score of 2.7 reflects the low risk profile due to required administrative authentication and minimal scope of impact.
UUID library versions before 14.0.0 make unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially corrupting adjacent memory. UUID version 4, the most commonly deployed variant, is unaffected. The vulnerability requires local access and non-default buffer configuration to exploit, resulting in integrity compromise rather than code execution or availability impact.
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
## Summary The `fetch()` call for remote images in `packages/integrations/cloudflare/src/utils/image-binding-transform.ts` (line 28) uses the default `redirect: 'follow'` behavior. This allows the Cloudflare Worker to follow HTTP redirects to arbitrary URLs, bypassing the `isRemoteAllowed()` domain allowlist check which only validates the initial URL. All three other image fetch paths in the codebase correctly use `{ redirect: 'manual' }`. This is an incomplete fix for GHSA-qpr4-c339-7vq8. Confirmed on HEAD. ## Root Cause `image-binding-transform.ts` line 28: const content = await (isRemotePath(href) ? fetch(imageSrc) : assets.fetch(imageSrc)); Missing `{ redirect: 'manual' }`. The three protected paths: // image-passthrough-endpoint.ts:23 response = await fetch(href, { redirect: 'manual' }); // assets/endpoint/shared.ts:11 const res = await fetch(src, { redirect: 'manual' }); // assets/utils/remoteProbe.ts:53 const response = await fetch(url, { redirect: 'manual' }); ## PoC Demonstrated with Node.js that `fetch()` without `redirect: 'manual'` follows 302 redirects to arbitrary destinations: # Server A (allowed domain) returns 302 → Server B (internal) fetch('http://allowed:19741/img.jpg') → follows 302 → hits http://internal:19742/secret fetch('http://allowed:19741/img.jpg', {redirect:'manual'}) → returns 302, internal server NOT hit Attack path: attacker finds an open redirect on an allowed domain, crafts `/_image?href=https://allowed-cdn.com/redirect?url=http://internal-service/`, and the Worker follows the redirect to the unauthorized destination. ## Impact Bypasses the `image.domains` and `image.remotePatterns` allowlist for the default Cloudflare image service (`cloudflare-binding`). Enables blind SSRF to domains not in the allowlist. Same vulnerability class as GHSA-qpr4-c339-7vq8 (HIGH) which fixed the passthrough endpoint but missed this one. ## Suggested Fix const content = await (isRemotePath(href) ? fetch(imageSrc, { redirect: 'manual' }) : assets.fetch(imageSrc));
Reliance on reverse DNS resolution in ericc-ch copilot-api up to version 0.7.0 allows authenticated remote attackers to manipulate the Host header in the /token endpoint, leading to information disclosure. The vulnerability affects the Header Handler component and has been publicly disclosed with exploit code available; the vendor did not respond to early disclosure notification.
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes.