Vulnerabilities

search
ID
Packages
Summary
Published
arrow_upward
Attributes
GHSA-4hmj-39m8-jwc7
  • npm/openclaw
 OpenClaw has ACP CLI approval prompt ANSI escape sequence injection 1 hour ago
  • Fix available
GHSA-j4c9-w69r-cw33
  • npm/openclaw
 OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State 1 hour ago
  • Fix available
GHSA-mf5g-6r6f-ghhm
  • npm/openclaw
 OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token 1 hour ago
  • Fix available
GHSA-rf6h-5gpw-qrgq
  • npm/openclaw
 OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback 1 hour ago
  • Fix available
GHSA-h4jx-hjr3-fhgc
  • npm/openclaw
 OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` 1 hour ago
  • Fix available
GHSA-77w2-crqv-cmv3
  • npm/openclaw
 OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing 1 hour ago
  • Fix available
GHSA-3h52-cx59-c456
  • npm/openclaw
 OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation 1 hour ago
  • Fix available
GHSA-rhfg-j8jq-7v2h
  • npm/openclaw
 OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) 1 hour ago
  • Fix available
GHSA-52q4-3xjc-6778
  • npm/openclaw
 OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName 1 hour ago
  • Fix available
GHSA-q2qc-744p-66r2
  • npm/openclaw
 OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility 1 hour ago
  • Fix available
GHSA-5jvj-hxmh-6h6j
  • npm/openclaw
 OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope 1 hour ago
  • No fix available
  • Severity - 5.3 (Medium)
GHSA-qpfv-44f3-qqx6
  • npm/@mikro-orm/core
 MikroORM has Prototype Pollution in Utils.merge 1 hour ago
  • Fix available
  • Severity - 8.3 (High)
GHSA-gwhv-j974-6fxm
  • npm/@mikro-orm/core
 MikroORM is vulnerable to SQL Injection via specially crafted object 1 hour ago
  • Fix available
  • Severity - 9.3 (Critical)
GHSA-g3hj-mf85-679g
  • Packagist/wwbn/avideo
 AVideo: IDOR in uploadPoster.php Allows Any Authenticated User to Overwrite Scheduled Live Stream Posters and Trigger False Socket Notifications 1 hour ago
  • No fix available
  • Severity - 5.4 (Medium)
GHSA-2rm7-j397-3fqg
  • Packagist/wwbn/avideo
 AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking 1 hour ago
  • No fix available
  • Severity - 6.3 (Medium)
GHSA-wprj-9cvc-5w37
  • Packagist/wwbn/avideo
 AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records 1 hour ago
  • No fix available
  • Severity - 7.5 (High)
Load more...