•about 3 hours ago•GHSA-VFPX-Q664-H93M
8.2CVE-2026-34236: Insecure Deserialization via Insufficient Entropy in Auth0 WordPress Plugin
The Auth0 WordPress plugin (versions 5.0.0-BETA0 through 5.5.0) and its underlying Auth0-PHP SDK (versions 8.0.0 through 8.18.0) suffer from a cryptographic flaw due to insufficient entropy in session cookie encryption. This weakness permits attackers to brute-force the encryption key offline, forge malicious session cookies, and trigger insecure deserialization upon processing by the server. Successful exploitation allows authenticated attackers to execute arbitrary code within the context of the WordPress instance.
3 views•7 min read
•about 4 hours ago•GHSA-GHC5-95C2-VWCV
8.2GHSA-GHC5-95C2-VWCV: Insufficient Entropy in Cookie Encryption within Auth0 Symfony SDK
The Auth0 Symfony SDK (versions 5.0.0 through 5.7.0) is vulnerable to an insufficient entropy flaw in its cookie encryption implementation, stemming from the underlying auth0/auth0-php library. This allows an attacker to brute-force session keys and forge valid authentication cookies.
4 views•6 min read
•about 4 hours ago•GHSA-CJ63-JHHR-WCXV
5.3GHSA-cj63-jhhr-wcxv: Prototype Pollution to XSS Bypass in DOMPurify USE_PROFILES
A prototype pollution vulnerability in DOMPurify allows attackers to bypass the HTML sanitizer's attribute allowlist when the USE_PROFILES configuration is enabled. This results in DOM-based Cross-Site Scripting (XSS) via injected event handlers.
2 views•7 min read
•about 6 hours ago•CVE-2026-3779
7.8CVE-2026-3779: Use-After-Free in Foxit PDF Calculate Array Leads to Arbitrary Code Execution
Foxit PDF Editor and PDF Reader contain a critical use-after-free vulnerability within the list box calculate array logic. This flaw allows an attacker to execute arbitrary code by manipulating the lifecycle of document form fields and pages via crafted AcroJS scripts.
4 views•6 min read
•about 6 hours ago•GHSA-CJMM-F4JC-QW8R
5.3GHSA-CJMM-F4JC-QW8R: DOM-based XSS Bypass in DOMPurify via ADD_ATTR Predicate
DOMPurify versions prior to 3.3.2 contain a vulnerability where the ADD_ATTR predicate function short-circuits internal validation logic. This allows dynamically approved attributes to bypass URI-safe sanitization, potentially leading to DOM-based Cross-Site Scripting (XSS) via dangerous protocols like javascript: or data:.
1 views•6 min read
•about 12 hours ago•CVE-2026-20093
9.8CVE-2026-20093: Authentication Bypass in Cisco IMC Management Interface
A critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) allows an unauthenticated, remote attacker to reset administrative passwords. The flaw exists due to improper input validation in the user credential update process within the XML API and web management interface.
12 views•5 min read
•about 12 hours ago•CVE-2026-35038
2.1CVE-2026-35038: Arbitrary Prototype Read in Signal K Server via JSON-Patch Bypass
Signal K Server prior to version 2.24.0 contains an input validation flaw in its JSON-patch endpoint. The application fails to validate the `from` field during copy and move operations, allowing authenticated users to read sensitive properties from the global prototype object.
5 views•7 min read
•about 15 hours ago•CVE-2026-35168
8.8CVE-2026-35168: Authenticated Remote Code Execution via SQL Injection in OpenSTAManager Aggiornamenti Module
OpenSTAManager versions prior to 2.10.2 contain a high-severity SQL Injection vulnerability in the `Aggiornamenti` module. The application accepts raw SQL statements in JSON format and executes them directly against the database without validation. This flaw enables authenticated attackers to modify database schemas, exfiltrate data, and potentially achieve remote code execution depending on database configuration.
9 views•5 min read
•about 15 hours ago•CVE-2026-33026
9.1CVE-2026-33026: Remote Code Execution via Cryptographic Design Flaw in Nginx UI Backup Mechanism
Nginx UI prior to version 2.3.4 contains a critical cryptographic design flaw in its backup and restore mechanism. The application relies on a circular trust model where backup integrity is protected by user-controlled encryption keys, allowing an attacker to forge backup archives and achieve Remote Code Execution upon restoration.
9 views•6 min read
•about 16 hours ago•GHSA-G8XP-QX39-9JQ9
10.0GHSA-G8XP-QX39-9JQ9: Arbitrary Code Execution via Environment Variable Injection in OpenClaw Host Execution
OpenClaw versions prior to v2026.3.31 contain an environment variable injection vulnerability in the Host Environment Security Policy. An untrusted AI model can achieve arbitrary code execution on the host by supplying specific un-sanitized compiler environment variables during host-exec operations.
5 views•7 min read
•about 16 hours ago•GHSA-RG8M-3943-VM6Q
5.1GHSA-RG8M-3943-VM6Q: Authorization Bypass in OpenClaw Matrix Extension via Reply Context
OpenClaw versions 2026.3.28 and earlier contain an improper authorization vulnerability in the Matrix extension. The application fails to validate the sender of threaded messages or reply contexts against the configured allowlist. This allows unauthorized attackers to inject arbitrary content into the AI assistant's context window when an authorized user interacts with an attacker's message.
5 views•7 min read
•about 17 hours ago•GHSA-QCC3-JQWP-5VH2
5.3GHSA-qcc3-jqwp-5vh2: Unauthenticated Resource Exhaustion via LINE Webhook Handler in OpenClaw
The OpenClaw personal AI assistant platform contains a resource exhaustion vulnerability in its LINE webhook handler. The application fails to enforce concurrency limits prior to processing unauthenticated HTTP POST requests, allowing an attacker to cause a Denial of Service (DoS) through rapid CPU and memory consumption.
6 views•6 min read