•about 2 hours ago•GHSA-QVR7-G57C-MRC7
3.6GHSA-QVR7-G57C-MRC7: Authentication Fall-Through via Unresolved SecretRef in OpenClaw Gateway
In OpenClaw versions prior to v2026.3.11, the local gateway helper contains a logic flaw in its credential resolution mechanism. When authentication credentials configured via SecretRef fail to resolve, the system defaults to an unset state rather than failing securely. This allows unintended fall-through to remote or default credentials, potentially bypassing intended local authentication requirements.
5 views•5 min read
•about 2 hours ago•CVE-2026-32304
9.8CVE-2026-32304: Remote Code Execution via Code Injection in Locutus create_function
Locutus versions prior to 3.0.14 contain a critical remote code execution vulnerability in the PHP compatibility layer. The create_function implementation improperly constructs dynamic JavaScript functions using unsanitized user input, leading to arbitrary code execution through the Function constructor.
2 views•5 min read
•about 6 hours ago•GHSA-MWV9-GP5H-FRR4
5.3GHSA-mwv9-gp5h-frr4: Prototype Pollution Vector via Malformed Properties in devalue
The devalue library prior to version 5.6.4 contains a prototype pollution vector within its deserialization routines. The `parse` and `unflatten` functions fail to validate property keys, allowing the instantiation of objects with `__proto__` as an explicit own property. This behavior facilitates prototype pollution when the resulting objects are processed by applications using insecure recursive merge functions.
3 views•6 min read
•about 7 hours ago•GHSA-4CM8-XPFV-JV6F
8.2GHSA-4CM8-XPFV-JV6F: Email Sender Spoofing and Authentication Bypass in ZeptoClaw
GHSA-4CM8-XPFV-JV6F describes an authentication bypass vulnerability in the ZeptoClaw AI assistant. By spoofing the MIME 'From' header, unauthenticated attackers can bypass allowlist restrictions and execute arbitrary instructions through the platform's email processing channel. The vulnerability arises from a failure to validate SMTP envelope sender consistency and a lack of required cryptographic checks.
2 views•6 min read
•about 8 hours ago•CVE-2026-32245
6.5CVE-2026-32245: OIDC Authorization Code Grant Client Impersonation in Tinyauth
Tinyauth versions prior to 5.0.3 contain an incorrect authorization vulnerability in the OpenID Connect (OIDC) token endpoint. The server fails to verify that the client attempting to exchange an authorization code matches the client to which the code was originally issued, violating RFC 6749 Section 4.1.3.
5 views•6 min read
•about 9 hours ago•CVE-2026-32246
8.5CVE-2026-32246: TOTP Authentication Bypass in Tinyauth OIDC Controller
Tinyauth prior to version 5.0.3 contains a high-severity authentication bypass vulnerability in its OpenID Connect (OIDC) controller. The application fails to properly validate the multi-factor authentication (MFA) state of a user session before issuing OIDC authorization codes. An attacker with possession of a valid primary credential (password) can bypass the Time-based One-Time Password (TOTP) requirement, extract identity tokens, and gain unauthorized access to downstream services relying on Tinyauth for authentication.
7 views•7 min read
•about 9 hours ago•CVE-2026-32247
8.1CVE-2026-32247: Cypher Injection in Graphiti via Insecure SearchFilter Interpolation
Graphiti versions prior to 0.28.2 contain a high-severity Cypher injection vulnerability (CWE-943) in the search-filter construction logic for non-Kuzu backends. This flaw permits an attacker to execute arbitrary Cypher queries against the underlying database, either directly or via indirect prompt injection in Model Context Protocol (MCP) deployments.
3 views•5 min read
•about 10 hours ago•GHSA-QMPG-8XG6-PH5Q
Unassigned (Moderate)GHSA-QMPG-8XG6-PH5Q: Stored Cross-Site Scripting via Sanitizer Bypass in Trix Editor
A stored Cross-Site Scripting (XSS) vulnerability exists in the Trix rich text editor, distributed via the `trix` npm package and the `action_text-trix` RubyGem. The flaw occurs due to a bypass in the DOMPurify sanitization configuration, where a custom hook improperly whitelists the `data-trix-serialized-attributes` attribute. This allows an attacker to inject serialized JSON payloads containing malicious JavaScript handlers, which Trix subsequently deserializes and applies directly to the live DOM, leading to arbitrary code execution within the context of the victim's browser.
2 views•8 min read
•about 10 hours ago•CVE-2026-32242
9.1CVE-2026-32242: Authentication Bypass via Race Condition in Parse Server OAuth2 Adapter
Parse Server versions prior to 8.6.37 and 9.6.0-alpha.11 contain a critical race condition in the built-in OAuth2 authentication adapter. Concurrent authentication requests across different OAuth2 providers can overwrite shared configuration state, leading to authentication bypass and unauthorized account access.
12 views•6 min read
•about 11 hours ago•CVE-2026-32248
9.3CVE-2026-32248: Account Takeover via Operator Injection in Parse Server
Parse Server versions prior to 8.6.38 and 9.6.0-alpha.12 are vulnerable to a critical account takeover vulnerability due to improper input validation in the authentication logic. Unauthenticated remote attackers can bypass authentication and obtain valid session tokens by injecting database operators into the anonymous authentication provider's identifier payload.
6 views•5 min read
•about 11 hours ago•CVE-2026-28356
7.5CVE-2026-28356: Regular Expression Denial of Service in defnull/multipart
CVE-2026-28356 is a High-severity Regular Expression Denial of Service (ReDoS) vulnerability affecting the Python defnull/multipart library. By supplying a maliciously crafted HTTP or multipart segment header containing ambiguous escape sequences, an unauthenticated remote attacker can force the regex engine into exponential backtracking. This exhausts CPU resources and results in a complete denial of service for the affected application thread.
2 views•6 min read
•about 12 hours ago•CVE-2026-28792
9.7CVE-2026-28792: Cross-Origin File Exfiltration and Path Traversal in TinaCMS CLI
The TinaCMS CLI development server prior to version 2.1.8 contains a critical vulnerability allowing remote attackers to exfiltrate arbitrary local files, write malicious files, and delete data on a developer's workstation via a browser-based drive-by attack.
7 views•7 min read