Monthly
Server-Side Request Forgery leading to credential theft affects the @haxtheweb/open-apis npm package in versions prior to 26.0.0, where substring-only hostname validation allows attackers to redirect basic authentication credentials to attacker-controlled domains. Publicly available exploit code exists in the GHSA advisory demonstrating credential capture via crafted API calls through cloudflared tunnels, and the maintainer confirmed the leaked credentials grant access to unreleased LMS content on downstream systems. No EPSS or CVSS data is available, and the vulnerability is not currently listed in CISA KEV.
OpenClaw before version 2026.4.15 allows authenticated users with access to the memory tool to read arbitrary Markdown files within the workspace root by bypassing path restrictions in the QMD backend's memory_get function. The vulnerability enables attackers to access workspace Markdown files outside canonical memory locations or indexed QMD result sets, effectively circumventing the intended memory-path policy. No public exploit code or active exploitation has been identified.
OpenClaw before version 2026.4.12 contains an improper authorization flaw in helper-backed channels where empty resolved approver lists are incorrectly interpreted as explicit approval authorization. Authenticated attackers who know an approval ID can resolve pending approvals without proper authorization by exploiting this logic error, bypassing intended sender authorization checks. This vulnerability has a CVSS score of 6.5 (medium) with network attack vector and requires only low privileges, though no public exploit code or active exploitation has been identified.
Remote code execution in NetBox 4.3.5-4.5.4 allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary Python code as the NetBox service user by injecting malicious callables into Jinja2 template environment parameters. Attackers bypass SandboxedEnvironment protections by setting the finalize parameter to dangerous imports like subprocess.getoutput, which executes on every rendered expression outside sandbox call interception. Public proof-of-concept exploit exists (chocapikk.com), and upstream patch available via GitHub PR #22078 implements an allowlist-based validation mechanism that blocks unauthorized callable resolution at both save-time and render-time.
OpenClaw package manager allows supply chain attacks through incomplete environment variable sanitization before version 2026.3.22. Attackers can hijack approved package installation or execution requests by injecting environment variables that redirect package resolution to malicious infrastructure, enabling trojanized code execution with high impact to confidentiality, integrity, and availability. This requires local access and user interaction to trigger package manager operations, limiting remote exploitation but creating significant insider threat and social engineering risk vectors.
Axios HTTP client versions prior to 1.15.1 and 0.31.1 use loose truthy/falsy comparison instead of strict boolean checks for the withXSRFToken config property, allowing XSRF tokens to be sent to cross-origin servers when the property is set to any truthy non-boolean value through prototype pollution or misconfiguration. This bypasses same-origin validation and enables attackers to exfiltrate XSRF tokens to attacker-controlled domains, compromising CSRF protection across applications using vulnerable versions.
HTTP request smuggling in Axios HTTP client library allows remote attackers to bypass NO_PROXY protection and route requests through 127.0.0.0/8 addresses other than 127.0.0.1. Attackers who control target URLs in applications using Axios prior to versions 1.15.1 and 0.31.1 can bypass proxy restrictions and potentially access internal resources with changed scope (CVSS S:C). This is an incomplete fix regression of CVE-2025-62718, indicating the original patch failed to cover the full 127.0.0.0/8 loopback range. No public exploit identified at time of analysis, EPSS data not provided.
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.
OpenClaw before version 2026.3.22 allows unauthenticated remote attackers to bypass access control denials by exploiting improper handling of empty allowlists during settings reconciliation, silently restoring previously revoked permissions. The vulnerability treats explicitly empty allowlists as unset rather than as explicit deny-all configurations, enabling attackers to undo intended access revocations without authentication. With a CVSS score of 6.5 and network-accessible attack vector, this represents a moderate-severity logic flaw affecting access control enforcement.
Command injection in Juniper Networks Support Insights Virtual Lightweight Collector (JSI vLWC) CLI enables local high-privileged attackers to escalate privileges to root. Inadequate input validation in the CLI menu permits shell command injection, with injected commands executing at root level. All JSI vLWC versions before 3.0.94 affected. CVSS 8.4 (High severity, local vector). Requires high-level existing privileges (PR:H). No public exploit identified at time of analysis.
Server-Side Request Forgery leading to credential theft affects the @haxtheweb/open-apis npm package in versions prior to 26.0.0, where substring-only hostname validation allows attackers to redirect basic authentication credentials to attacker-controlled domains. Publicly available exploit code exists in the GHSA advisory demonstrating credential capture via crafted API calls through cloudflared tunnels, and the maintainer confirmed the leaked credentials grant access to unreleased LMS content on downstream systems. No EPSS or CVSS data is available, and the vulnerability is not currently listed in CISA KEV.
OpenClaw before version 2026.4.15 allows authenticated users with access to the memory tool to read arbitrary Markdown files within the workspace root by bypassing path restrictions in the QMD backend's memory_get function. The vulnerability enables attackers to access workspace Markdown files outside canonical memory locations or indexed QMD result sets, effectively circumventing the intended memory-path policy. No public exploit code or active exploitation has been identified.
OpenClaw before version 2026.4.12 contains an improper authorization flaw in helper-backed channels where empty resolved approver lists are incorrectly interpreted as explicit approval authorization. Authenticated attackers who know an approval ID can resolve pending approvals without proper authorization by exploiting this logic error, bypassing intended sender authorization checks. This vulnerability has a CVSS score of 6.5 (medium) with network attack vector and requires only low privileges, though no public exploit code or active exploitation has been identified.
Remote code execution in NetBox 4.3.5-4.5.4 allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary Python code as the NetBox service user by injecting malicious callables into Jinja2 template environment parameters. Attackers bypass SandboxedEnvironment protections by setting the finalize parameter to dangerous imports like subprocess.getoutput, which executes on every rendered expression outside sandbox call interception. Public proof-of-concept exploit exists (chocapikk.com), and upstream patch available via GitHub PR #22078 implements an allowlist-based validation mechanism that blocks unauthorized callable resolution at both save-time and render-time.
OpenClaw package manager allows supply chain attacks through incomplete environment variable sanitization before version 2026.3.22. Attackers can hijack approved package installation or execution requests by injecting environment variables that redirect package resolution to malicious infrastructure, enabling trojanized code execution with high impact to confidentiality, integrity, and availability. This requires local access and user interaction to trigger package manager operations, limiting remote exploitation but creating significant insider threat and social engineering risk vectors.
Axios HTTP client versions prior to 1.15.1 and 0.31.1 use loose truthy/falsy comparison instead of strict boolean checks for the withXSRFToken config property, allowing XSRF tokens to be sent to cross-origin servers when the property is set to any truthy non-boolean value through prototype pollution or misconfiguration. This bypasses same-origin validation and enables attackers to exfiltrate XSRF tokens to attacker-controlled domains, compromising CSRF protection across applications using vulnerable versions.
HTTP request smuggling in Axios HTTP client library allows remote attackers to bypass NO_PROXY protection and route requests through 127.0.0.0/8 addresses other than 127.0.0.1. Attackers who control target URLs in applications using Axios prior to versions 1.15.1 and 0.31.1 can bypass proxy restrictions and potentially access internal resources with changed scope (CVSS S:C). This is an incomplete fix regression of CVE-2025-62718, indicating the original patch failed to cover the full 127.0.0.0/8 loopback range. No public exploit identified at time of analysis, EPSS data not provided.
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the illegalParameters field that contains the JDBC security blocklist. When a datasource configuration is submitted as JSON, Jackson deserialization calls setIllegalParameters with an attacker-supplied empty list, replacing the blocklist before getJdbc() validation runs. This allows an authenticated attacker to include dangerous JDBC parameters such as allowLoadLocalInfile=true, and by pointing the datasource at a rogue MySQL server, exploit the LOAD DATA LOCAL INFILE protocol feature to read arbitrary files from the DataEase server filesystem, including sensitive environment variables and database credentials. This issue has been fixed in version 2.10.21.
OpenClaw before version 2026.3.22 allows unauthenticated remote attackers to bypass access control denials by exploiting improper handling of empty allowlists during settings reconciliation, silently restoring previously revoked permissions. The vulnerability treats explicitly empty allowlists as unset rather than as explicit deny-all configurations, enabling attackers to undo intended access revocations without authentication. With a CVSS score of 6.5 and network-accessible attack vector, this represents a moderate-severity logic flaw affecting access control enforcement.
Command injection in Juniper Networks Support Insights Virtual Lightweight Collector (JSI vLWC) CLI enables local high-privileged attackers to escalate privileges to root. Inadequate input validation in the CLI menu permits shell command injection, with injected commands executing at root level. All JSI vLWC versions before 3.0.94 affected. CVSS 8.4 (High severity, local vector). Requires high-level existing privileges (PR:H). No public exploit identified at time of analysis.