Monthly
Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.
Rack's multipart form data parser uses a greedy regular expression that selects the last boundary parameter from a Content-Type header instead of the first, allowing request smuggling when upstream proxies or WAFs interpret the first boundary. This mismatch enables attackers to bypass upstream inspection by crafting multipart requests with duplicate boundary declarations, causing Rack to parse a different body structure than the intermediary validated. Affected versions are Rack prior to 2.2.23, 3.1.21, and 3.2.6; patches are available for all three release branches.
Rack::Utils.forwarded_values in Rack 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 misparses RFC 7239 Forwarded headers by splitting on semicolons before processing quoted strings, allowing attackers to inject or smuggle host, proto, for, or by parameters when an upstream proxy or WAF interprets the same header differently. The vulnerability affects request routing and protocol detection logic, enabling potential cache poisoning, host header injection, or protocol confusion attacks in architectures where intermediaries validate quoted Forwarded values inconsistently. No public exploit code or active exploitation has been confirmed at the time of analysis.
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.
OpenClaw versions before 2026.2.24 allow authenticated attackers to execute arbitrary commands through command injection in the system.run shell-wrapper by injecting malicious arguments that bypass validation controls. Public exploit code exists for this vulnerability, enabling attackers to disguise malicious payloads while executing hidden commands with the privileges of the affected application.
CVE-2026-32766 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
SEPPmail Secure Email Gateway versions before 15.0.1 misinterpret email addresses in message headers, enabling attackers to spoof sender identities or decrypt encrypted communications due to inconsistent header parsing with standard mail infrastructure. This unauthenticated network-based vulnerability affects all default installations with no available patch, presenting significant risk to organizations relying on the gateway for email security.
GitLab CE/EE versions 18.4 through 18.8 are vulnerable to unauthenticated denial of service attacks where an attacker can exhaust server resources by circumventing JSON validation limits. An unauthenticated remote attacker can trigger excessive memory or CPU consumption without authentication or user interaction, potentially rendering the service unavailable. Currently no patch is available for this vulnerability.
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.
Rack's multipart form data parser uses a greedy regular expression that selects the last boundary parameter from a Content-Type header instead of the first, allowing request smuggling when upstream proxies or WAFs interpret the first boundary. This mismatch enables attackers to bypass upstream inspection by crafting multipart requests with duplicate boundary declarations, causing Rack to parse a different body structure than the intermediary validated. Affected versions are Rack prior to 2.2.23, 3.1.21, and 3.2.6; patches are available for all three release branches.
Rack::Utils.forwarded_values in Rack 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 misparses RFC 7239 Forwarded headers by splitting on semicolons before processing quoted strings, allowing attackers to inject or smuggle host, proto, for, or by parameters when an upstream proxy or WAF interprets the same header differently. The vulnerability affects request routing and protocol detection logic, enabling potential cache poisoning, host header injection, or protocol confusion attacks in architectures where intermediaries validate quoted Forwarded values inconsistently. No public exploit code or active exploitation has been confirmed at the time of analysis.
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.
OpenClaw versions before 2026.2.24 allow authenticated attackers to execute arbitrary commands through command injection in the system.run shell-wrapper by injecting malicious arguments that bypass validation controls. Public exploit code exists for this vulnerability, enabling attackers to disguise malicious payloads while executing hidden commands with the privileges of the affected application.
CVE-2026-32766 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
SEPPmail Secure Email Gateway versions before 15.0.1 misinterpret email addresses in message headers, enabling attackers to spoof sender identities or decrypt encrypted communications due to inconsistent header parsing with standard mail infrastructure. This unauthenticated network-based vulnerability affects all default installations with no available patch, presenting significant risk to organizations relying on the gateway for email security.
GitLab CE/EE versions 18.4 through 18.8 are vulnerable to unauthenticated denial of service attacks where an attacker can exhaust server resources by circumventing JSON validation limits. An unauthenticated remote attacker can trigger excessive memory or CPU consumption without authentication or user interaction, potentially rendering the service unavailable. Currently no patch is available for this vulnerability.
Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.