Monthly
Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool permission system, which fails to account for environment-variable prefixes on allowlisted commands. An attacker who can influence what the agent runs (for example via a malicious prompt or repository content) can prepend assignments such as PAGER=/path/to/payload to a permitted command and hijack execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands can be executed; the bypass exploits an incomplete input validation list (CWE-184) to chain expansions that resolve to arbitrary shell commands while appearing to match an approved prefix. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the RCE-tagged nature and CVSS High confidentiality impact make it a meaningful concern for users relying on Zed's agentic terminal tool permissions.
Roundcube Webmail's HTML sanitizer fails to block loopback, localhost, RFC1918, link-local, and ULA addresses when rendering HTML email, even when the user has disabled remote content loading. An unauthenticated remote attacker (PR:N per CVSS) can send a crafted HTML email that - upon the victim previewing it - causes their browser to issue HTTP requests to internal or private-network services, enabling blind probing or interaction with local infrastructure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the changed scope (S:C in CVSS) reflects that impact extends to resources beyond Roundcube itself.
Three distinct URL allowlist bypasses in Symfony's symfony/html-sanitizer component allow content authors to smuggle off-allowlist URLs past host and scheme restriction controls configured via allowLinkHosts(), allowLinkSchemes(), allowMediaHosts(), and allowMediaSchemes(). The root cause is a combination of parser-differential attacks exploiting divergence between RFC-3986 (used server-side) and the WHATWG URL Standard (used by browsers), plus misclassification of <area> elements as media rather than navigable links. Affected applications processing untrusted HTML with host/scheme allowlists in symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11 are at risk; no public exploit identified at time of analysis and this CVE does not appear in CISA KEV.
Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable links without validating the protocol scheme, allowing attackers to trigger arbitrary OS protocol handlers when users click these links. The vulnerability requires user interaction (clicking the malicious link) and affects all platforms where Tabby runs. EPSS data unavailable, not currently in CISA KEV, indicating no confirmed active exploitation at this time.
Compromised AI models running with access to OpenClaw's gateway tool can persist malicious configuration changes affecting command execution, network endpoints, credentials, and security policies by exploiting an incomplete denylist that failed to protect newly added config paths. The vulnerability allows model-driven writes to sensitive config subtrees (command execution safeguards, proxy/TLS settings, telemetry hooks, operator policies) that survive restart, enabling persistent control beyond the intended model-to-operator trust boundary. Patch available in OpenClaw 2026.4.23 with fail-closed allowlist enforcement. No public exploit or active exploitation confirmed, but CVSS 8.8 (AV:N/AC:L/PR:L) indicates authenticated remote attackers with low-privilege model access can achieve full config compromise.
OpenClaw before version 2026.4.20 misclassifies direct messages as group conversations in Feishu card-action callbacks, allowing authenticated attackers to bypass dmPolicy restrictions and trigger card-action flows that should have been blocked. The vulnerability affects direct message handling in the Feishu integration and requires authenticated access (PR:L per CVSS vector) but achieves both confidentiality and integrity impact with moderate CVSS score of 5.4.
Remote attackers can manipulate server filesystem operations in Gotenberg v8 by bypassing ExifTool metadata blocklist using group-prefix syntax (e.g., 'File:FileName' instead of 'FileName'). The vulnerability allows unauthenticated file renaming, moving, symlink/hardlink creation, and permission modification on the server. This directly bypasses the previous fix for GHSA-qmwh-9m9c-h36m. Public exploit code exists with working PoC commands. In non-containerized deployments or those with mounted volumes, attackers can achieve arbitrary file read via symlink chaining and file overwrites. CVSS 8.2 (High) with network vector, low complexity, and no authentication required.
Shell expansion injection in OpenClaw's exec allowlist validation allows authenticated attackers to bypass command approval controls and execute arbitrary system commands. The vulnerability affects OpenClaw versions prior to 2026.4.22 through improper parsing of unquoted heredoc bodies, where shell expansion tokens ($VAR, $(), etc.) are treated as literal text during allowlist analysis but expanded at runtime. This enables attackers to embed unapproved commands within ostensibly safe allowlisted commands. VulnCheck disclosed this vulnerability, and a proof-of-concept fix commit is publicly available. CVSS 8.7 reflects high impact across confidentiality, integrity, and availability with low attack complexity.
Environment variable namespace collision in OpenClaw npm package before version 2026.4.20 enables malicious workspace dotenv files to override critical runtime control variables including OPENCLAW_GIT_DIR, potentially redirecting trusted operations like source updates and installer flows to attacker-controlled paths. Exploitation requires user interaction (opening a malicious workspace) but no authentication, achieving high confidentiality and integrity impact within the local scope. CVSS 8.5 severity reflects the local attack vector with low complexity. No active exploitation confirmed (not in CISA KEV), but public exploit code exists via the GitHub security advisory demonstrating the attack surface. Fixed in version 2026.4.20 per vendor commit 018494fa.
Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool permission system, which fails to account for environment-variable prefixes on allowlisted commands. An attacker who can influence what the agent runs (for example via a malicious prompt or repository content) can prepend assignments such as PAGER=/path/to/payload to a permitted command and hijack execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands can be executed; the bypass exploits an incomplete input validation list (CWE-184) to chain expansions that resolve to arbitrary shell commands while appearing to match an approved prefix. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the RCE-tagged nature and CVSS High confidentiality impact make it a meaningful concern for users relying on Zed's agentic terminal tool permissions.
Roundcube Webmail's HTML sanitizer fails to block loopback, localhost, RFC1918, link-local, and ULA addresses when rendering HTML email, even when the user has disabled remote content loading. An unauthenticated remote attacker (PR:N per CVSS) can send a crafted HTML email that - upon the victim previewing it - causes their browser to issue HTTP requests to internal or private-network services, enabling blind probing or interaction with local infrastructure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the changed scope (S:C in CVSS) reflects that impact extends to resources beyond Roundcube itself.
Three distinct URL allowlist bypasses in Symfony's symfony/html-sanitizer component allow content authors to smuggle off-allowlist URLs past host and scheme restriction controls configured via allowLinkHosts(), allowLinkSchemes(), allowMediaHosts(), and allowMediaSchemes(). The root cause is a combination of parser-differential attacks exploiting divergence between RFC-3986 (used server-side) and the WHATWG URL Standard (used by browsers), plus misclassification of <area> elements as media rather than navigable links. Affected applications processing untrusted HTML with host/scheme allowlists in symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11 are at risk; no public exploit identified at time of analysis and this CVE does not appear in CISA KEV.
Tabby terminal emulator before version 1.0.232 automatically renders malicious URIs from SSH/Telnet servers as clickable links without validating the protocol scheme, allowing attackers to trigger arbitrary OS protocol handlers when users click these links. The vulnerability requires user interaction (clicking the malicious link) and affects all platforms where Tabby runs. EPSS data unavailable, not currently in CISA KEV, indicating no confirmed active exploitation at this time.
Compromised AI models running with access to OpenClaw's gateway tool can persist malicious configuration changes affecting command execution, network endpoints, credentials, and security policies by exploiting an incomplete denylist that failed to protect newly added config paths. The vulnerability allows model-driven writes to sensitive config subtrees (command execution safeguards, proxy/TLS settings, telemetry hooks, operator policies) that survive restart, enabling persistent control beyond the intended model-to-operator trust boundary. Patch available in OpenClaw 2026.4.23 with fail-closed allowlist enforcement. No public exploit or active exploitation confirmed, but CVSS 8.8 (AV:N/AC:L/PR:L) indicates authenticated remote attackers with low-privilege model access can achieve full config compromise.
OpenClaw before version 2026.4.20 misclassifies direct messages as group conversations in Feishu card-action callbacks, allowing authenticated attackers to bypass dmPolicy restrictions and trigger card-action flows that should have been blocked. The vulnerability affects direct message handling in the Feishu integration and requires authenticated access (PR:L per CVSS vector) but achieves both confidentiality and integrity impact with moderate CVSS score of 5.4.
Remote attackers can manipulate server filesystem operations in Gotenberg v8 by bypassing ExifTool metadata blocklist using group-prefix syntax (e.g., 'File:FileName' instead of 'FileName'). The vulnerability allows unauthenticated file renaming, moving, symlink/hardlink creation, and permission modification on the server. This directly bypasses the previous fix for GHSA-qmwh-9m9c-h36m. Public exploit code exists with working PoC commands. In non-containerized deployments or those with mounted volumes, attackers can achieve arbitrary file read via symlink chaining and file overwrites. CVSS 8.2 (High) with network vector, low complexity, and no authentication required.
Shell expansion injection in OpenClaw's exec allowlist validation allows authenticated attackers to bypass command approval controls and execute arbitrary system commands. The vulnerability affects OpenClaw versions prior to 2026.4.22 through improper parsing of unquoted heredoc bodies, where shell expansion tokens ($VAR, $(), etc.) are treated as literal text during allowlist analysis but expanded at runtime. This enables attackers to embed unapproved commands within ostensibly safe allowlisted commands. VulnCheck disclosed this vulnerability, and a proof-of-concept fix commit is publicly available. CVSS 8.7 reflects high impact across confidentiality, integrity, and availability with low attack complexity.
Environment variable namespace collision in OpenClaw npm package before version 2026.4.20 enables malicious workspace dotenv files to override critical runtime control variables including OPENCLAW_GIT_DIR, potentially redirecting trusted operations like source updates and installer flows to attacker-controlled paths. Exploitation requires user interaction (opening a malicious workspace) but no authentication, achieving high confidentiality and integrity impact within the local scope. CVSS 8.5 severity reflects the local attack vector with low complexity. No active exploitation confirmed (not in CISA KEV), but public exploit code exists via the GitHub security advisory demonstrating the attack surface. Fixed in version 2026.4.20 per vendor commit 018494fa.