Monthly
PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; a vendor-released patch is available in v2.1.0-alpha.46.
GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand function, allowing authenticated low-privilege remote attackers to circumvent command approval controls enforced in internal/tools/exec_approval.go. The bypass can yield limited confidentiality, integrity, and availability impacts consistent with the information-disclosure tag and the VC:L/VI:L/VA:L CVSS 4.0 impact metrics. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept exploit exists per the referenced GitHub issue, lowering the technical bar for abuse.
Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.
Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.
Credential exposure in OpenClaw before 2026.5.28 lets a lower-trust actor who can write to a workspace's configured input paths plant a dotenv file that overrides trusted provider credentials, causing sensitive secrets to leak across intended trust boundaries. VulnCheck reported the issue and it is fixed in 2026.5.28; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The vendor CVSS 4.0 base score is 8.4 (High), reflecting high confidentiality and integrity impact but requiring local path access and user interaction.
Arbitrary code execution bypass in Trail of Bits fickling (versions ≤ 0.1.10) allows attackers to craft malicious pickle files that the tool's check_safety() gate rates LIKELY_SAFE with zero findings. Because the standard-library modules _posixsubprocess, site, and atexit are missing from the UNSAFE_IMPORTS denylist in fickle.py, payloads invoking _posixsubprocess.fork_exec, site.execsitecustomize, or atexit._run_exitfuncs pass the scanner and are then deserialized and executed by fickling.load(), which chains check_safety() into pickle.loads() as its security gate. No public exploit has been identified at time of analysis, and no EPSS or KEV signals are present in the input, but the advisory documents the exact bypass primitives.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Static-analysis bypass in Picklescan before 0.0.25 lets attackers smuggle malicious pickle files past its malware scanner, leading to arbitrary OS command execution when a victim deserializes the file. Picklescan's denylist fails to flag unsafe Numpy globals, so a reduce method invoking numpy.testing._private.utils.runstring can import os and run commands while being reported as safe. No public exploit has been identified at time of analysis, though VulnCheck's advisory documents the exact gadget; the issue is not in CISA KEV. CVSS 4.0 base score is 7.6.
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? returning false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) on Ruby releases older than 3.4, so a malicious AAAA record can redirect any outbound fetch to loopback (127.0.0.1), RFC1918 hosts, or cloud-metadata services like 169.254.169.254. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed, high confidentiality) rating reflects direct exposure of internal services and instance credentials.
Server-side request forgery (SSRF) filter bypass in Ghost CMS 6.0.9 through 6.21.0 allows remote unauthenticated attackers to direct the application to reach internal network services by supplying IPv6 literals that map to private IPv4 addresses, circumventing Ghost's outbound IP blocklist. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the filter validates against RFC 1918 private ranges but does not normalize IPv6-mapped IPv4 notation before comparison. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; Ghost 6.21.1 resolves the issue.
PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; a vendor-released patch is available in v2.1.0-alpha.46.
GoClaw 3.11.3 by nextlevelbuilder exposes an incomplete blacklist bypass in the ExecApprovalManager.CheckCommand function, allowing authenticated low-privilege remote attackers to circumvent command approval controls enforced in internal/tools/exec_approval.go. The bypass can yield limited confidentiality, integrity, and availability impacts consistent with the information-disclosure tag and the VC:L/VI:L/VA:L CVSS 4.0 impact metrics. No public exploit identified at time of analysis is incorrect here - a public proof-of-concept exploit exists per the referenced GitHub issue, lowering the technical bar for abuse.
Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.
Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.
Credential exposure in OpenClaw before 2026.5.28 lets a lower-trust actor who can write to a workspace's configured input paths plant a dotenv file that overrides trusted provider credentials, causing sensitive secrets to leak across intended trust boundaries. VulnCheck reported the issue and it is fixed in 2026.5.28; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The vendor CVSS 4.0 base score is 8.4 (High), reflecting high confidentiality and integrity impact but requiring local path access and user interaction.
Arbitrary code execution bypass in Trail of Bits fickling (versions ≤ 0.1.10) allows attackers to craft malicious pickle files that the tool's check_safety() gate rates LIKELY_SAFE with zero findings. Because the standard-library modules _posixsubprocess, site, and atexit are missing from the UNSAFE_IMPORTS denylist in fickle.py, payloads invoking _posixsubprocess.fork_exec, site.execsitecustomize, or atexit._run_exitfuncs pass the scanner and are then deserialized and executed by fickling.load(), which chains check_safety() into pickle.loads() as its security gate. No public exploit has been identified at time of analysis, and no EPSS or KEV signals are present in the input, but the advisory documents the exact bypass primitives.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Static-analysis bypass in Picklescan before 0.0.25 lets attackers smuggle malicious pickle files past its malware scanner, leading to arbitrary OS command execution when a victim deserializes the file. Picklescan's denylist fails to flag unsafe Numpy globals, so a reduce method invoking numpy.testing._private.utils.runstring can import os and run commands while being reported as safe. No public exploit has been identified at time of analysis, though VulnCheck's advisory documents the exact gadget; the issue is not in CISA KEV. CVSS 4.0 base score is 7.6.
Server-side request forgery in Mastodon (versions before 4.5.10, 4.4.17, and 4.3.23) lets an attacker who controls authoritative DNS for a hostname bypass Mastodon's private-network filter and force the server to connect to internal IPv4 endpoints. The flaw stems from PrivateAddressCheck.private_address? returning false for IPv4-mapped IPv6 addresses (::ffff:a.b.c.d) on Ruby releases older than 3.4, so a malicious AAAA record can redirect any outbound fetch to loopback (127.0.0.1), RFC1918 hosts, or cloud-metadata services like 169.254.169.254. No public exploit identified at time of analysis, but the CVSS 8.6 (scope-changed, high confidentiality) rating reflects direct exposure of internal services and instance credentials.
Server-side request forgery (SSRF) filter bypass in Ghost CMS 6.0.9 through 6.21.0 allows remote unauthenticated attackers to direct the application to reach internal network services by supplying IPv6 literals that map to private IPv4 addresses, circumventing Ghost's outbound IP blocklist. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the filter validates against RFC 1918 private ranges but does not normalize IPv6-mapped IPv4 notation before comparison. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; Ghost 6.21.1 resolves the issue.