Absolute path traversal in pyLoad download manager allows authenticated users to write files to arbitrary filesystem locations via unsanitized package folder names in the set_package_data() API function. Users with Perms.MODIFY can redirect downloads to sensitive directories (e.g., /etc, /root, system directories) bypassing intended download directory restrictions, enabling configuration overwrite or denial of service through disk exhaustion. Publicly available exploit code exists with complete proof-of-concept in the GitHub security advisory. CVSS 8.1 (High) reflects high integrity and availability impact limited by low-privilege authentication requirement.
Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.
Remote unauthenticated attackers can execute JavaScript in administrator sessions of YAF.NET forum software (versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4) by injecting malicious User-Agent headers via any endpoint that triggers exception logging, notably /api/Attachments/GetAttachment. The stored XSS payload fires when administrators view the Event Log admin panel, enabling full forum takeover through admin-session hijacking. A working proof-of-concept exists requiring only a single anonymous HTTP request. EPSS and KEV data not available; CVSS 8.1 (High) reflects network vector, low complexity, and no authentication requirement, though the UI:R metric indicates the admin must visit the log page for execution.
Use-after-free in Linux kernel's netfilter nft_ct subsystem allows local authenticated attackers with low privileges to achieve code execution, privilege escalation, or denial of service. The vulnerability stems from stale references to conntrack zone templates, timeout policies, and helper objects in packets queued to nfqueue when these objects are removed. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no active exploitation confirmed at time of analysis. Vendor-released patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0).
Use-after-free in XFS filesystem recovery code allows local attackers with user interaction to achieve high-severity impacts including potential code execution, data corruption, or denial of service. The vulnerability stems from incorrect error handling in xfs_attri_recover_work() where the code attempts to release an inode pointer that was never successfully allocated, causing a dereference of uninitialized memory. Patches are available across multiple kernel versions (6.12.80, 6.18.21, 6.19.11, 7.0), and EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability with no public exploit identified at time of analysis.
eBPF verifier in Linux kernel allows local privilege escalation through incorrect register ID handling during byte-swap operations. When BPF_END instruction performs byte swapping, the verifier fails to reset scalar register IDs, causing it to incorrectly propagate bounds checks between linked registers. This validation bypass allows authenticated local attackers with BPF program loading privileges to craft malicious eBPF programs that pass verification but achieve out-of-bounds memory access at runtime, potentially escalating to kernel-level code execution. Vendor patches available for affected 6.18.x and 6.19.x branches with EPSS score of 0.02% indicating low observed exploitation probability.
Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.
Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.
Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.
Authentication bypass in OpenClaw before 2026.4.9 enables untrusted workspace plugins to intercept provider authentication credentials during non-interactive onboarding. Malicious plugins can shadow legitimate provider authentication choices, causing the system to auto-enable attacker-controlled code and route sensitive API keys or credentials through untrusted handlers without user consent. Vendor-released patch available (v2026.4.9+). EPSS and KEV data not provided; exploitation requires user interaction (UI:P) and specific attack timing (AT:P), suggesting moderate real-world deployment complexity despite network attack vector.
AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.
OpenClaw's channel setup catalog lookup mechanism allowed workspace plugins to shadow bundled channel plugins and bypass trust gates during setup-time plugin loading. Low-privileged authenticated attackers on the network can craft malicious workspace plugins that execute without the intended trust verification, enabling arbitrary code execution in the OpenClaw runtime. The vulnerability was responsibly disclosed by security researchers from Keen Security Lab and patched in version 2026.4.10. No public exploit identified at time of analysis, though the fix commit reveals the exact vulnerable lookup logic attackers would target.
Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limited Keystone tokens or molds storage credentials by manipulating import operations. Attackers with low-privileged Ironic access can redirect these credentials to attacker-controlled endpoints, gaining unauthorized access to all OpenStack services that Ironic is authorized for. Fixed in versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. CVSS 7.7 with scope change (S:C) reflects the privilege escalation from Ironic-only access to full OpenStack service access.
Jupyter Server allows authenticated users to maintain indefinite access even after password changes due to persistent authentication cookie secrets stored in an unrotated file. An attacker who obtains a valid authentication cookie can continue using it to access the server with full privileges regardless of subsequent password resets or server restarts, affecting all Jupyter Server deployments using password authentication.
Cross-Origin Resource Sharing (CORS) bypass in Jupyter Server <= 2.17.0 allows attackers controlling malicious subdomains to bypass origin validation and access sensitive notebook data. The vulnerability stems from incorrect use of Python's re.match() function in the allow_origin_pat configuration, which only anchors at the start of strings. An attacker registering a domain like 'trusted.example.com.evil.com' can pass validation intended only for 'trusted.example.com', enabling unauthorized cross-origin requests to Jupyter sessions. Fixed in version 2.18.0 via commits 057869a and 49b3439. No active exploitation or public POC identified at time of analysis.
Authenticated users can access, modify, and delete files in sibling directories outside Jupyter Server's configured root_dir by exploiting a flawed string prefix check in path validation (CWE-22). Jupyter Server <=2.17.0 incorrectly uses startswith() validation, allowing attackers to traverse to directories like 'testtest/' when root is 'test/'. Publicly available exploit code exists. This primarily threatens multi-tenant deployments with predictable naming schemes (e.g., user1, user10-user19) where low-privileged users can escalate to access other users' workspaces. CVSS 7.1 reflects network-accessible attack requiring low privileges but high attack complexity; EPSS data not provided but real-world risk is significant for affected multi-tenant environments.
Authorization context reuse in OpenClaw's collect-mode queue batching allows attackers with low-privilege accounts to execute messages with elevated permissions inherited from subsequent higher-privileged senders. The vulnerability occurs when messages from multiple senders are batched together, causing earlier queued messages to execute under the authorization context of the final sender in the batch rather than their own. Vendor-released patch (version 2026.4.14) confirmed available via GitHub advisory GHSA-jwrq-8g5x-5fhm and commit 43d4be9. No public exploit identified at time of analysis.
GoBGP v4.4.0 crashes with SIGSEGV panic when an unauthenticated remote BGP peer sends malformed UPDATE messages with inconsistent attribute lengths. The nil pointer dereference in AdjRib.Update (adj.go:127) causes complete process termination and loss of BGP service. Publicly available exploit code exists (POC in GitHub advisory GHSA-p3w2-64xm-833j). Vendor-released patch available in v4.5.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects the trivial remote exploitation of critical network infrastructure with no mitigating factors.
SQL injection in AWP Classifieds plugin for WordPress versions up to 4.4.5 allows remote unauthenticated attackers to extract sensitive database contents via array key manipulation in the 'regions' parameter. The vulnerability stems from insufficient escaping of user input in search functionality, affecting the plugin's query integration and page search components. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this poses significant risk to WordPress sites running this classifieds plugin, though no public exploit or active exploitation has been identified at time of analysis.
Unauthenticated SQL injection in Form Maker by 10Web plugin allows remote attackers to extract sensitive database contents including user credentials, form submissions, and WordPress configuration data. The vulnerability affects all versions through 1.15.42 and requires no special configuration - any WordPress site running the plugin with default settings is exploitable. CVSS 7.5 (High) reflects network-based unauthenticated access with high confidentiality impact. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. Patch available in version 1.15.43 per Trac changeset 3518461.
Unauthenticated SQL injection in GeekyBot WordPress plugin allows remote attackers to extract sensitive database contents via the 'attributekey' parameter. Affects all versions through 1.2.0. The CVSS 7.5 rating reflects network-based exploitation requiring no authentication or user interaction, with high confidentiality impact. Wordfence Threat Intelligence identified this vulnerability, with a patch committed in changeset 3474168. No active exploitation confirmed in CISA KEV at time of analysis, though the trivial attack complexity (AC:L) and unauthenticated vector (PR:N) make this a realistic target for automated scanning and exploitation.
Path Traversal in Forminator Forms plugin allows unauthenticated remote attackers to read arbitrary files from WordPress servers, potentially exposing database credentials, configuration files, and sensitive user data. Exploitation requires a publicly accessible form with File Upload field and specific 'Save and Continue' behavior settings enabled. CVSS 7.5 (High) with network vector and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, suggesting limited active exploitation despite high theoretical severity.
Authentication bypass in Mongoose 6.x-9.x allows remote attackers to inject malicious MongoDB query operators via the $nor clause when sanitizeFilter is enabled. The vulnerability exists because Mongoose's sanitizeFilter mechanism fails to recursively sanitize the $nor logical operator, allowing injection of operators like $ne, $gt, or $regex that bypass authentication checks or extract unauthorized data. This affects only applications that explicitly enable sanitizeFilter and pass unsanitized user input directly into query methods while relying on sanitizeFilter for protection. Vendor-released patches are available for all supported release lines. No public exploit identified at time of analysis, though exploitation is straightforward for affected configurations.
Arbitrary local file disclosure in changedetection.io allows remote unauthenticated attackers to read sensitive system files via crafted backup archives. When a malicious backup ZIP is uploaded and restored, the application trusts attacker-controlled paths in the history.txt file, enabling reads of files like /etc/passwd, environment variables, application secrets, and mounted Docker volumes through the Preview UI or history API. This vulnerability (CVSS 7.5) affects all versions through 0.54.10, with fix available in 0.55.1. No active exploitation (KEV) confirmed, but a detailed proof-of-concept exists demonstrating the complete attack chain from backup modification to file exfiltration. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit code makes this a priority for immediate patching.
Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.
Denial of service attacks against PHP applications using phpseclib can be triggered by providing maliciously crafted ASN.1 encoded files containing oversized Object Identifiers. The vulnerability bypasses a previous CVE-2024-27355 mitigation, allowing OID amplification attacks that exhaust server resources when processing untrusted X.509 certificates, PKCS8 keys, or other ASN.1 structures. Vendor-released patches are available across all affected major versions (1.x, 2.x, 3.x). CVSS 7.5 indicates network-exploitable, unauthenticated denial of service with no public exploit identified at time of analysis.
Denial of Service vulnerability in Samsung Exynos chipsets (980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, and modems 5123, 5300, 5400) allows remote unauthenticated attackers to crash devices by sending malformed 5G NR NAS registration accept messages. The flaw affects the Mobility Management (MM) component's message parser, triggering resource exhaustion (CWE-770) that disrupts cellular connectivity. CVSS 7.5 (High) with network attack vector and no prerequisites, though EPSS indicates only 0.02% exploitation probability and no public exploits identified at time of analysis.
Remote denial of service in Twisted's DNS name decompression (twisted.names module) allows unauthenticated attackers to freeze the single-threaded reactor by sending a crafted TCP DNS packet with deeply chained compression pointers and thousands of questions. Publicly available exploit code exists. Despite high CVSS score (7.5), real-world impact is limited to applications using the twisted.names DNS server-not the broader Twisted framework. Vendor-released patch available in version 26.4.0rc2.
Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stack-to-heap overflow in Nix and Lix daemon's NAR parser enables local privilege escalation to root in multi-user installations. Low-privileged users with daemon access can trigger unbounded recursion in the coroutine-based parser to overwrite heap memory and achieve arbitrary code execution as the Nix daemon (root), provided ASLR can be bypassed. Vulnerability affects Nix 2.24.4-2.34.6 and Lix 2.93.0-2.95.1, with vendor-confirmed patches released across multiple version branches. CVSS vector indicates local attack with high complexity but cross-scope privilege escalation, consistent with the EPSS score suggesting targeted exploitation scenarios rather than mass scanning.
SQL injection in WeePie Cookie Allow plugin for WordPress versions ≤3.4.11 allows remote unauthenticated attackers to extract sensitive database contents via the 'consent' parameter. The vulnerability stems from insufficient SQL query preparation and parameter escaping, enabling attackers to append malicious SQL queries to existing database operations. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.
Command injection in Crestron Touchpanels (X60/X70 series) allows authenticated SSH users to execute arbitrary OS commands via control characters in a hidden console command's second argument. Discovered by Eugene Lim, this popen-based injection requires high privilege SSH access and high attack complexity. CVSS 7.4 with CVSS:4.0 metrics indicates network vector (AV:N) but requires high privileges (PR:H) and high complexity (AC:H), limiting real-world exploitation to scenarios where attackers have already compromised SSH credentials. Vendor patch available (firmware 3.003.0015.001). No active exploitation or public POC identified at time of analysis.
Uncontrolled resource consumption in Apache HTTP Server's mod_md module allows remote unauthenticated attackers to exhaust server resources via malformed OCSP response data, affecting versions 2.4.30 through 2.4.66. The vulnerability enables attackers to achieve confidentiality, integrity, and availability impacts with low complexity exploitation over the network. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack surface and lack of authentication requirement make this a credible threat requiring prompt patching to version 2.4.67.
Stored Cross-Site Scripting in YAFNET forum software allows authenticated attackers to inject arbitrary JavaScript into thread posts and replies that automatically executes in the browser of every user who views the affected thread. Affects YAFNET.Core versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4. The payload triggers on page load without victim interaction, enabling session hijacking, credential theft, and account takeover of all viewers including administrators. Vendor-released patches are available (v3.2.12 and v4.0.5). No active exploitation confirmed by CISA KEV, though the attack requires only a standard forum account and proof-of-concept payload is documented in the GitHub advisory.
Stack-based buffer overflow in Sandboxie-Plus ProcessServer handlers allows local authenticated attackers to execute arbitrary code as SYSTEM or crash the SbieSvc service. The vulnerability affects versions 1.17.2 and earlier, stems from unsafe wcscpy operations on unchecked WCHAR fields from service pipe requests, and has been patched in version 1.17.3. The service pipe's NULL DACL permits any local process to connect and trigger the flaw before authorization checks execute, enabling privilege escalation from low-privileged local accounts. No public exploit code identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for skilled attackers to develop exploits.
Local privilege escalation to SYSTEM in Sandboxie-Plus 1.17.2 and earlier allows low-privileged interactive users to trigger stack buffer overflow in SbieSvc service via unauthenticated IPC, bypassing sandbox isolation controls. The vulnerability exists in the RunSbieCtrl handler which processes crafted messages before security checks and copies unbounded input into a 128-character stack buffer. Fixed in version 1.17.3. EPSS data unavailable; not listed in CISA KEV at time of analysis, but publicly disclosed via GitHub Security Advisory with technical details sufficient for exploit development.
Path traversal vulnerability in Apache Thrift Node.js web_server.js (versions prior to 0.23.0) allows remote unauthenticated attackers to read arbitrary files, write to unauthorized locations, and potentially execute code. Disclosed via oss-security mailing list pre-NVD publication. EPSS score of 0.01% indicates low observed exploitation probability despite network-accessible attack vector and no authentication requirement. CISA SSVC framework classifies this as automatable with partial technical impact but no confirmed exploitation. Patch available in version 0.23.0.
TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.
Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.
Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.
Authenticated configuration readers in OpenClaw gateway deployments can extract unredacted sensitive credentials through alias field bypass in versions prior to 2026.4.14. Attackers with legitimate config read permissions exploit sourceConfig and runtimeConfig alias fields to obtain provider API keys, gateway authentication tokens, and channel credentials that the redaction mechanism fails to sanitize. The vulnerability affects npm package 'openclaw' in gateway configurations where authenticated clients have config read access, confirmed fixed by vendor in version 2026.4.14 with patch commit 86734ef. CVSS 7.1 reflects network-accessible attack requiring low privileges with high confidentiality impact; no public exploit identified at time of analysis, though technical details published in GHSA-8372-7vhw-cm6q enable reproduction.
OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.
Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.
Authorization bypass in OpenClaw before 2026.4.10 allows low-privileged authenticated users with operator.write permissions to mutate persistent Matrix profile configurations that should require admin-level authority. Exploitation enables unauthorized modification of system-wide profile settings through message-tool paths, bypassing role-based access controls (CVSS:4.0 7.1 High, VI:H). Vendor patch available via GitHub commit fe0f686c. No confirmed active exploitation or public POC identified at time of analysis, with EPSS data not yet available for this 2026 CVE.
Type confusion in Linux kernel's Bluetooth L2CAP Enhanced Credit-Based Reconfiguration Response handler allows adjacent network attackers to trigger integrity violations and potential denial of service. The vulnerability affects kernel versions from 5.7 onwards (commit 15f02b910562) and has vendor patches available across stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis.
Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. Vendor-released patch: version 2026.4.9, with fix also present in latest npm release 2026.4.14. No public exploit identified at time of analysis, but exploitation requires only an untrusted repository with a crafted .env file opened by a victim user.