•about 1 hour ago•CVE-2026-30974
4.6CVE-2026-30974: Stored Cross-Site Scripting via SVG Uploads in copyparty
A Stored Cross-Site Scripting (XSS) vulnerability exists in copyparty prior to version v1.20.11. The 'nohtml' volume configuration flag fails to restrict SVG images, allowing authenticated attackers with write permissions to upload malicious SVGs that execute arbitrary JavaScript when viewed by other users.
2 views•5 min read
•about 2 hours ago•CVE-2026-30957
10.0CVE-2026-30957: Remote Code Execution via Insecure Sandbox Exposure in OneUptime
OneUptime versions prior to 10.0.21 contain a critical server-side remote code execution vulnerability within the Synthetic Monitor component. The application improperly injects a host-realm Playwright browser object into an isolated Node.js VM context. Authenticated attackers can invoke Playwright process management methods to escape the sandbox and execute arbitrary commands on the underlying probe container.
2 views•8 min read
•about 16 hours ago•CVE-2026-30913
4.6CVE-2026-30913: Link Injection and Content Spoofing in Flarum Nicknames Extension
The flarum/nicknames extension for Flarum prior to version 1.8.3 fails to sanitize user display names before including them in outbound notification emails. This allows registered users to construct nicknames that email clients interpret as hyperlinked domains or Markdown links, facilitating targeted phishing and content spoofing attacks against forum users.
8 views•6 min read
•about 17 hours ago•CVE-2026-3089
5.3CVE-2026-3089: Authenticated Path Traversal in Actual Sync Server
CVE-2026-3089 is an authenticated path traversal vulnerability in Actual Sync Server prior to version 26.3.0. By manipulating the `x-actual-file-id` HTTP header, an authenticated attacker can bypass directory restrictions to read or write arbitrary files on the host filesystem. This flaw stems from a lack of input validation when constructing file paths for user uploads and downloads.
5 views•6 min read
•about 17 hours ago•GHSA-XV8G-FJ9H-6GMV
9.8GHSA-xv8g-fj9h-6gmv: Missing Authentication in Linkdave Audio Streaming Server
Linkdave, a high-performance Lavalink rewrite in Go, suffers from a complete lack of authentication on its control plane prior to commit 0f9a00d. This critical vulnerability allows unauthenticated remote attackers to establish WebSocket connections, manipulate REST APIs, and hijack or terminate active audio streaming sessions.
15 views•6 min read
•about 18 hours ago•CVE-2026-30925
8.2CVE-2026-30925: Regular Expression Denial of Service (ReDoS) in Parse Server LiveQuery
Parse Server versions prior to 8.6.11 and 9.5.0-alpha.14 contain a critical vulnerability in the LiveQuery component. The application evaluates client-provided regular expressions directly on the single-threaded Node.js event loop without adequate execution limits. Unauthenticated attackers can submit crafted subscriptions that cause exponential backtracking, exhausting CPU resources and resulting in a complete denial of service.
6 views•6 min read
•about 18 hours ago•GHSA-PJVX-RX66-R3FG
6.5GHSA-PJVX-RX66-R3FG: Cross-account sender authorization expansion in OpenClaw
GHSA-PJVX-RX66-R3FG is a moderate severity authorization expansion vulnerability in the OpenClaw AI agent framework. It arises from improper account scoping when writing to the persistent pairing store via the `/allowlist` command, allowing sub-account users to elevate their privileges to the default account scope.
5 views•7 min read
•about 19 hours ago•GHSA-6MGF-V5J7-45CR
7.5GHSA-6MGF-V5J7-45CR: Sensitive Information Leak via Cross-Origin Redirects in OpenClaw
OpenClaw versions prior to v2026.3.7 suffer from a sensitive information disclosure vulnerability in the `fetch-guard` component. During cross-origin HTTP redirects, custom authentication headers are improperly forwarded to untrusted domains due to an incomplete denylist validation approach.
7 views•5 min read
•about 20 hours ago•GHSA-R6QF-8968-WJ9Q
ModerateGHSA-R6QF-8968-WJ9Q: Security Gating Bypass via Off-By-One Logic Error in OpenClaw system.run
An off-by-one boundary condition in the OpenClaw system.run command dispatcher permits attackers to bypass mandatory shell approval prompts in security=allowlist mode.
5 views•5 min read
•about 20 hours ago•GHSA-HFPR-JHPQ-X4RM
6.5GHSA-HFPR-JHPQ-X4RM: Authorization Bypass via Gateway Command Routing in OpenClaw
OpenClaw versions prior to v2026.3.7 contain a moderate-severity authorization bypass vulnerability (CWE-863). The flaw allows authenticated clients restricted to the `operator.write` scope to perform administrative configuration changes by abusing the `chat.send` gateway protocol. This failure in internal message channel processing leads to unauthorized modifications of the system configuration and potential privilege escalation.
4 views•6 min read
•about 21 hours ago•GHSA-9Q2P-VC84-2RWM
6.5GHSA-9Q2P-VC84-2RWM: Parser Differential Vulnerability in OpenClaw Security Allowlist
A parser differential vulnerability exists in the OpenClaw AI assistant system.run host tool. The security analysis engine fails to correctly parse POSIX shell comments, allowing attackers to bypass the allowlist via the allow-always persistence mechanism.
6 views•5 min read
•about 22 hours ago•CVE-2026-25960
7.1CVE-2026-25960: Server-Side Request Forgery (SSRF) Bypass in vLLM MediaConnector via Parser Differential
vLLM contains a critical parser differential vulnerability that allows attackers to bypass existing Server-Side Request Forgery (SSRF) protections. By exploiting parsing discrepancies between urllib3 and yarl, attackers can craft specific URLs that pass validation but direct the underlying HTTP client to query internal network services and cloud metadata endpoints.
7 views•5 min read