OpenClaw (aka clawdbot or Moltbot) before 2026
Description
OpenClaw (aka clawdbot or Moltbot) before 2026
AI Analyst Comment
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Search and filter 17426 vulnerabilities with AI analyst insights
OpenClaw (aka clawdbot or Moltbot) before 2026
OpenClaw (aka clawdbot or Moltbot) before 2026
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
WebdriverIO versions below 9.24.0 are vulnerable to command injection via unsanitized branch names, leading to remote code execution in test orchestra...
WebdriverIO versions below 9.24.0 are vulnerable to command injection via unsanitized branch names, leading to remote code execution in test orchestration environments.
---METADATA---
VENDOR: WebdriverIO
PRODUCT: WebdriverIO
AFFECTED_VERSIONS: Below 9.24.0
---END_METADATA---
Description Summary:
WebdriverIO versions below 9.24.0 are vulnerable to command injection via unsanitized branch names, leading to remote code execution in test orchestration environments.
Executive Summary:
A critical command injection vulnerability in WebdriverIO allows attackers to execute arbitrary code on CI/CD servers and developer machines, risking supply chain compromise.
Vulnerability Details
CVE-ID: CVE-2026-25244
Affected Software: WebdriverIO
Affected Versions: Below 9.24.0
Vulnerability: The getGitMetadataForAISelection() function interpolates Git branch names containing shell metacharacters directly into execSync() calls, allowing an attacker to inject and execute arbitrary system commands.
Business Impact
With a CVSS score of 9.8, this vulnerability facilitates remote code execution on build servers. This impact is severe, potentially resulting in the exfiltration of environment secrets, SSH keys, source code, and the insertion of malicious backdoors into build artifacts.
Remediation Plan
Immediate Action: Upgrade WebdriverIO to version 9.24.0 or later immediately.
Proactive Monitoring: Audit CI/CD logs for unexpected command executions or unauthorized process spawning during test execution.
Compensating Controls: Implement strict input validation for repository branch names and restrict the permissions of the service accounts running CI/CD pipelines.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of May 18, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Redis is an in-memory data structure store
Redis is an in-memory data structure store
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Gogs Git service exposes unauthenticated file upload endpoints by default, allowing remote users to upload arbitrary files and potentially exhaust dis...
Gogs Git service exposes unauthenticated file upload endpoints by default, allowing remote users to upload arbitrary files and potentially exhaust disk space or host malware.
---METADATA---
VENDOR: Gogs
PRODUCT: Gogs Git Service
AFFECTED_VERSIONS: 0.13.4 and below
---END_METADATA---
Description Summary:
Gogs Git service exposes unauthenticated file upload endpoints by default, allowing remote users to upload arbitrary files and potentially exhaust disk space or host malware.
Executive Summary:
Gogs versions 0.13.4 and below contain a critical unauthenticated file upload vulnerability that can be exploited for malware hosting or denial-of-service attacks.
Vulnerability Details
CVE-ID: CVE-2026-25242
Affected Software: Gogs
Affected Versions: 0.13.4 and below
Vulnerability: This vulnerability stems from unauthenticated access to the /releases/attachments and /issues/attachments endpoints when the RequireSigninView setting is disabled. This allows any remote user to upload arbitrary files without valid credentials or CSRF protection.
Business Impact
The impact includes potential disk exhaustion (DoS), the use of the corporate infrastructure to host or deliver malware, and reputational damage. The CVSS score of 9.8 indicates a critical risk due to the lack of authentication and the potential for severe system abuse.
Remediation Plan
Immediate Action: Upgrade Gogs to version 0.14.1 or higher. Alternatively, enable the RequireSigninView setting in the configuration to mandate authentication.
Proactive Monitoring: Monitor disk usage trends and review attachment directories for unknown or suspicious file types.
Compensating Controls: Implement rate limiting on upload endpoints and use an antivirus solution to scan all uploaded attachments.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Feb 19, 2026, there is no public information indicating active exploitation. However, the default configuration of Gogs makes this an easy target for automated scanners.
Analyst Recommendation
The default "open" state of these endpoints represents a significant liability. Administrators should prioritize the update to version 0.14.1 and verify that RequireSigninView is enabled to ensure only authorized users can upload data.
Update Unknown Multiple Products to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
Gogs is an open source self-hosted Git service
Gogs is an open source self-hosted Git service
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
FileRise is a self-hosted web file manager / WebDAV server
FileRise is a self-hosted web file manager / WebDAV server
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A privilege escalation vulnerability in authentik allows authenticated users with specific viewing permissions to execute arbitrary code via the prope...
A privilege escalation vulnerability in authentik allows authenticated users with specific viewing permissions to execute arbitrary code via the property mapping/policy test endpoint.
---METADATA---
VENDOR: authentik
PRODUCT: authentik
AFFECTED_VERSIONS: 2021.3.1 before 2025.8.6, 2025.10.4, and 2025.12.4
---END_METADATA---
Description Summary:
A privilege escalation vulnerability in authentik allows authenticated users with specific viewing permissions to execute arbitrary code via the property mapping/policy test endpoint.
Executive Summary:
Authenticated users in authentik with limited viewing permissions can achieve remote code execution on the server container, leading to a full compromise of the identity provider.
Vulnerability Details
CVE-ID: CVE-2026-25227
Affected Software: authentik
Affected Versions: 2021.3.1 to before 2025.8.6, 2025.10.4, and 2025.12.4
Vulnerability: Users with "Can view * Property Mapping" or "Can view Expression Policy" permissions can execute arbitrary code within the server container. This occurs because the test endpoint, designed for previewing mappings, does not adequately sandbox or restrict code execution.
Business Impact
With a CVSS score of 9.1, this is a critical vulnerability. An attacker who has achieved limited access to the authentik portal can escalate their privileges to the system level, potentially compromising all identity data, secrets, and authentication flows managed by the platform.
Remediation Plan
Immediate Action: Update authentik to version 2025.8.6, 2025.10.4, 2025.12.4, or later to patch the vulnerable test endpoint.
Proactive Monitoring: Audit logs for unusual activity on the property mapping and policy test endpoints, specifically looking for users attempting to run unauthorized code snippets.
Compensating Controls: Restrict "View" permissions for Property Mappings and Expression Policies to only the most highly trusted administrative users until the patch is applied.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 12, 2026, there is no public information indicating active exploitation. The vulnerability is particularly dangerous because it transforms a standard viewing permission into a vector for full container escape.
Analyst Recommendation
Identity providers like authentik are high-value targets. Organizations must apply the recommended security updates immediately to prevent internal or compromised users from escalating their access and compromising the entire authentication infrastructure.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Fastify is a fast and low overhead web framework, for Node
Fastify is a fast and low overhead web framework, for Node
---METADATA---
VENDOR: Fastify
PRODUCT: Fastify
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
A vulnerability in the Fastify web framework for Node.js could allow for high-impact attacks against applications built on this framework.
Executive Summary:
The Fastify web framework is susceptible to a high-severity vulnerability that could compromise the security of Node.js applications relying on its architecture.
Vulnerability Details
CVE-ID: CVE-2026-25223
Affected Software: Fastify
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: Fastify, a high-performance Node.js framework, contains a vulnerability with a CVSS score of 7.5. This likely involves a flaw in request handling or middleware processing that could be exploited by an unauthenticated remote attacker to disrupt service or gain unauthorized access.
Business Impact
The impact of this vulnerability is high, as it affects the foundational framework of a web application. An exploit could lead to data exposure, session hijacking, or denial of service, directly affecting the availability and security of business-critical web services and customer-facing applications.
Remediation Plan
Immediate Action: Update the Fastify dependency in all Node.js projects to the latest patched version and redeploy the applications.
Proactive Monitoring: Monitor web server logs for anomalous request patterns, such as unusual headers or malformed payloads, that may indicate exploitation attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rulesets specifically tuned to detect common Node.js and framework-level attacks to provide temporary protection.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 5, 2026, there is no public information indicating active exploitation of this vulnerability. Framework vulnerabilities are highly critical as they inherit into all downstream applications.
Analyst Recommendation
Developers and DevOps teams should prioritize updating Fastify to the latest version across their entire environment. Immediate remediation is essential to ensure that web applications remain secure against potential remote exploits targeting the framework.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A privilege escalation vulnerability in Percona PMM allows authenticated users with pmm-admin rights to execute arbitrary shell commands on the underl...
A privilege escalation vulnerability in Percona PMM allows authenticated users with pmm-admin rights to execute arbitrary shell commands on the underlying host.
---METADATA---
VENDOR: Percona
PRODUCT: Percona Monitoring and Management (PMM)
AFFECTED_VERSIONS: Versions prior to 3.7
---END_METADATA---
Description Summary:
A privilege escalation vulnerability in Percona PMM allows authenticated users with pmm-admin rights to execute arbitrary shell commands on the underlying host.
Executive Summary:
Percona PMM versions before 3.7 allow attackers with administrative rights to break out of the database context and execute OS-level commands, leading to full host compromise.
Vulnerability Details
CVE-ID: CVE-2026-25212
Affected Software: Percona Monitoring and Management (PMM)
Affected Versions: Versions prior to 3.7
Vulnerability: An internal database user retains excessive superuser privileges. An attacker who already possesses "pmm-admin" rights can abuse the "Add data source" feature to bypass the database sandbox and execute shell commands directly on the underlying operating system.
Business Impact
This vulnerability allows for a complete breakout from the application to the operating system. With a CVSS score of 9.9, the impact is critical; an attacker can gain full control of the PMM server, access all monitored data, and potentially pivot into the wider production network monitored by the tool.
Remediation Plan
Immediate Action: Upgrade Percona PMM to version 3.7 or later immediately to remediate the excessive privilege issue and the command injection vector.
Proactive Monitoring: Monitor the PMM host for unusual shell activity, unauthorized user creation, or unexpected outbound network connections.
Compensating Controls: Restrict "pmm-admin" access to a highly limited group of trusted administrators and implement host-based intrusion detection (HIDS) to alert on suspicious process execution.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of April 2, 2026, there is no public information indicating active exploitation. This is a post-authentication vulnerability, but "pmm-admin" is a common target for credential harvesting.
Analyst Recommendation
While this exploit requires administrative access, the ability to move from an application-level admin to an OS-level root user is a critical risk. Organizations must update to PMM 3.7 immediately to ensure the security of their monitoring infrastructure and the sensitive data it contains.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers
Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers
Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows out-of-bounds write
Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows out-of-bounds write
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability This issue affects MagicINFO 9 Server: less than 2...
Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability This issue affects MagicINFO 9 Server: less than 21
Update to patched version immediately. Review user permissions and access controls.
The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects Ma...
The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server.This issue affects MagicINFO 9 Server: less than 21.1090.1.
Executive Summary:
A critical vulnerability has been identified in Samsung MagicINFO 9 Server due to hardcoded database credentials. This flaw allows an attacker with network access to the database to log in with administrative privileges, granting them the ability to steal, modify, or delete all data managed by the server. This could lead to a complete compromise of the system's data integrity and confidentiality.
Vulnerability Details
CVE-ID: CVE-2026-25202
Affected Software: Samsung MagicINFO 9 Server
Affected Versions: Versions less than 21.1090.1
Vulnerability: The application contains a hardcoded database account and password within its source code or configuration files. An attacker who discovers these static credentials, either through reverse engineering the application or from public disclosure, can connect directly to the server's database. This access bypasses all application-layer security controls, allowing the attacker to perform unauthorized actions such as reading sensitive data, modifying records, or deleting the entire database (SQL Injection/Manipulation).
Business Impact
This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the high potential for significant damage. Successful exploitation could lead to a complete loss of data confidentiality, integrity, and availability. Specific risks to the organization include the theft of sensitive business or customer information, reputational damage, disruption of digital signage or content management operations reliant on the MagicINFO platform, and potential regulatory penalties if compromised data is subject to privacy laws.
Remediation Plan
Immediate Action: Immediately update all instances of Samsung MagicINFO 9 Server to version 21.1090.1 or later, as recommended by the vendor. After patching, verify that the hardcoded credentials are no longer active. It is also critical to monitor for any signs of exploitation that may have occurred prior to patching by reviewing database and application access logs for suspicious activity.
Proactive Monitoring: Implement monitoring on the database server to detect and alert on direct connection attempts from unauthorized IP addresses. Monitor for unusual query patterns, such as large data exports or commands that modify database structure. System administrators should regularly review logs for authentication attempts using the known hardcoded credentials.
Compensating Controls: If immediate patching is not feasible, implement network segmentation and firewall rules to restrict access to the database port (e.g., TCP 1433 for MSSQL, TCP 5432 for PostgreSQL). Access should be limited exclusively to the MagicINFO application server itself. Consider changing the hardcoded password directly on the database, but be aware this may cause application instability and should only be used as a temporary measure until patching can be completed.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 2, 2026, no public exploit code has been observed in the wild. However, the nature of this vulnerability means that once the hardcoded credentials become publicly known, exploitation is trivial and does not require a sophisticated exploit tool. Any attacker with network access and a standard database client could compromise the system.
Analyst Recommendation
Given the critical CVSS score of 9.8 and the simplicity of exploitation, this vulnerability poses a severe risk to the organization. We strongly recommend that all affected MagicINFO 9 servers be patched to the latest version with the highest priority. Although this CVE is not currently on the CISA KEV list, hardcoded credential vulnerabilities are frequently targeted by threat actors. Organizations should treat this as an active threat and apply remediation or mitigating controls without delay.
Update The database account and password are Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server
An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server
Executive Summary:
A critical vulnerability has been identified in MagicInfo9 Server that allows an attacker with no credentials to upload malicious files. Successful exploitation could allow the attacker to execute arbitrary code, gaining complete control over the affected server, potentially leading to data theft, service disruption, and further network compromise.
Vulnerability Details
CVE-ID: CVE-2026-25201
Affected Software: unauthenticated Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability stems from an improper access control check within the file upload functionality of the MagicInfo9 Server. The application fails to verify if a user is authenticated before allowing a file to be uploaded. An unauthenticated remote attacker can exploit this by crafting a malicious request to upload a file, such as a web shell (e.g., JSP, PHP, ASPX), to a web-accessible directory on the server. By subsequently accessing the uploaded file via a URL, the attacker can trigger its execution on the server, resulting in remote code execution (RCE) with the privileges of the web server's service account. This access can then be leveraged to escalate privileges and achieve full system compromise.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8, reflecting the significant risk it poses to the organization. A successful exploit allows an unauthenticated attacker to execute remote code, effectively granting them full control over the compromised MagicInfo9 server. The potential business impacts are severe, including the theft of sensitive data, disruption of digital signage and content management services, reputational damage, and financial loss. Furthermore, a compromised server can serve as a beachhead for attackers to move laterally within the network, escalating the threat to the entire organization.
Remediation Plan
Immediate Action: The primary remediation is to apply the security patch provided by the vendor immediately across all vulnerable instances of MagicInfo9 Server. Before patching, create a system backup or snapshot to ensure a rollback path. Following the update, conduct a thorough review of all user accounts, permissions, and access controls on the server to enforce the principle of least privilege and remove any unauthorized configurations.
Proactive Monitoring: Security teams should actively monitor for signs of compromise. This includes reviewing web server access logs for unusual POST requests to file upload endpoints, especially those containing executable file extensions. Monitor system logs for unexpected processes being spawned by the web server user. Network monitoring should be in place to detect anomalous outbound traffic from the server, which could indicate a command-and-control channel.
Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to mitigate risk:
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of the publication date, February 2, 2026, there are no known public exploits or active in-the-wild attacks targeting this vulnerability. However, due to the critical nature of unauthenticated remote code execution flaws, it is highly probable that proof-of-concept (PoC) exploits will be developed and released by security researchers or malicious actors in the near future. Organizations should treat this vulnerability as an imminent threat.
Analyst Recommendation
Given the High severity (CVSS 8.8) of this vulnerability, which allows for unauthenticated remote code execution, immediate action is required. We strongly recommend that all organizations using the affected MagicInfo9 Server prioritize the deployment of the vendor-supplied patch immediately. Although this CVE is not yet on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical impact makes it a prime target for future exploitation. If patching cannot be performed immediately, implement the suggested compensating controls, such as deploying a WAF and restricting access, to reduce the attack surface while a patching schedule is finalized.
Update to patched version immediately. Review user permissions and access controls.
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in a...
A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1.
Executive Summary:
A critical vulnerability has been identified in Samsung MagicINFO 9 Server, assigned a CVSS score of 9.8. This flaw allows an unauthenticated attacker to upload malicious HTML files, which can lead to a stored cross-site scripting (XSS) attack, resulting in the complete takeover of administrator accounts and compromise of the server. Organizations are urged to apply the necessary updates immediately to mitigate the significant risk of system compromise.
Vulnerability Details
CVE-ID: CVE-2026-25200
Affected Software: Samsung MagicINFO 9 Server
Affected Versions: MagicINFO 9 Server versions prior to 21.1090.1
Vulnerability: The vulnerability exists due to an improper access control check on a file upload function within the MagicINFO 9 Server. An unauthenticated remote attacker can bypass security restrictions and upload a specially crafted HTML file containing malicious JavaScript code. When an authenticated user, particularly an administrator, accesses the section of the web interface that renders this file, the embedded script executes within their browser context, leading to a stored cross-site scripting (XSS) attack. This allows the attacker to steal the administrator's session cookies, hijack their session, and gain full administrative control over the server.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a severe risk to the organization. Successful exploitation could lead to a complete compromise of the MagicINFO server, allowing an attacker to manipulate digital signage content, access or exfiltrate any data managed by the server, and potentially use the compromised system as a launchpad for further attacks into the internal network. The potential consequences include significant reputational damage, operational disruption, and data breach, making immediate remediation a top priority.
Remediation Plan
Immediate Action: Immediately update all vulnerable instances of Samsung MagicINFO 9 Server to version 21.1090.1 or the latest version provided by the vendor. After patching, review server access logs and file system directories for any suspicious HTML files or unauthorized access attempts that may have occurred prior to the update.
Proactive Monitoring: Monitor web server and application logs for anomalous file upload attempts, especially for .html or .js files directed at unexpected endpoints. Network monitoring should be configured to detect and alert on unusual outbound connections from the MagicINFO server, which could indicate a successful compromise. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads and unauthorized file uploads.
Compensating Controls: If immediate patching is not feasible, restrict network access to the MagicINFO server's management interface to a limited set of trusted IP addresses. Deploy a WAF with strict rules to block HTML file uploads and filter for common XSS attack vectors as a temporary mitigating measure until the patch can be applied.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 2, 2026, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical CVSS score of 9.8 and the relative simplicity of the attack vector, it is highly probable that threat actors will develop and deploy exploits in the near future.
Analyst Recommendation
Given the critical severity of this vulnerability, immediate action is required. All organizations using the affected versions of Samsung MagicINFO 9 Server must prioritize applying the security update to version 21.1090.1 or later. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a prime candidate for future inclusion and a significant target for attackers. Proactive patching is the most effective strategy to prevent a potential system compromise.
Update A vulnerability in Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
The Proxmox extension for Apache CloudStack allows unauthorized cross-tenant access to virtual machines due to improper validation of the proxmox_vmid...
The Proxmox extension for Apache CloudStack allows unauthorized cross-tenant access to virtual machines due to improper validation of the proxmox_vmid setting.
---METADATA---
VENDOR: Apache
PRODUCT: CloudStack
AFFECTED_VERSIONS: 4.21.0.0 through 4.22.0.0
---END_METADATA---
Description Summary:
The Proxmox extension for Apache CloudStack allows unauthorized cross-tenant access to virtual machines due to improper validation of the proxmox_vmid setting.
Executive Summary:
An authorization bypass in the Apache CloudStack Proxmox extension allows non-privileged tenants to gain full control over virtual machines belonging to other accounts.
Vulnerability Details
CVE-ID: CVE-2026-25199
Affected Software: Apache CloudStack
Affected Versions: 4.21.0.0 through 4.22.0.0
Vulnerability: The extension fails to restrict or validate the proxmox_vmid instance setting against tenant ownership. An authenticated tenant can predict or modify this value to associate their CloudStack instance with a victim's Proxmox VM, bypassing multi-tenancy isolation.
Business Impact
This flaw effectively breaks the isolation between tenants, allowing a malicious user to destroy, stop, or control another organization's infrastructure. The 9.1 CVSS score highlights the severe risk to data integrity and service availability in multi-tenant cloud environments.
Remediation Plan
Immediate Action: Upgrade Apache CloudStack to version 4.22.0.1 to resolve the authorization logic error.
Proactive Monitoring: Review audit logs for unexpected modifications to the proxmox_vmid parameter or unauthorized attempts to manage virtual machines.
Compensating Controls: As a temporary mitigation, update the global configuration parameter user.vm.denied.details to prevent users from editing the proxmox_vmid detail.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 8, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The vulnerability poses a critical threat to multi-tenant environments. It is imperative that administrators immediately apply the provided workaround or upgrade to version 4.22.0.1 to maintain security boundaries and prevent unauthorized cross-tenant access.
Update Apache CloudStack to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
A specific API endpoint in the affected software allows authenticated users to pivot to other user profiles. By modifying the ID number in API calls,...
A specific API endpoint in the affected software allows authenticated users to pivot to other user profiles. By modifying the ID number in API calls, users can access unauthorized data.
---METADATA---
VENDOR: Unknown
PRODUCT: Multiple Products
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
A specific API endpoint in the affected software allows authenticated users to pivot to other user profiles. By modifying the ID number in API calls, users can access unauthorized data.
Executive Summary:
An authenticated Insecure Direct Object Reference (IDOR) vulnerability allows users to access and potentially modify unauthorized profiles by manipulating API parameters.
Vulnerability Details
CVE-ID: CVE-2026-25197
Affected Software: Unknown Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is an IDOR flaw located in a specific API endpoint. It allows an authenticated user to pivot to other user profiles by simply modifying the 'id' number within the API call, bypassing intended access controls.
Business Impact
The impact of this vulnerability includes unauthorized access to sensitive user information and potential account takeovers. With a CVSS score of 9.1, this is a critical risk as it allows lateral movement between user accounts. This could lead to significant privacy violations, regulatory non-compliance, and loss of customer trust.
Remediation Plan
Immediate Action: Apply the latest security patches provided by the vendor to enforce proper authorization checks on all API endpoints.
Proactive Monitoring: Review API access logs for patterns of sequential ID requests or requests for IDs that do not match the authenticated user's session.
Compensating Controls: Deploy an API gateway or WAF capable of performing deep packet inspection to validate that the requested resource ID matches the user's authorization token.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Apr 3, 2026, there is no public information indicating active exploitation of this vulnerability. However, IDOR vulnerabilities are frequently targeted due to their ease of exploitation once an endpoint is identified.
Analyst Recommendation
Although this vulnerability requires authentication, the ability to access any user profile makes it a critical threat. Organizations should immediately update the affected software to the latest version. Developers should ensure that all resource requests are validated against the current user's session permissions to prevent future IDOR occurrences.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
An OS command injection vulnerability exists in XWEB Pro version 1
An OS command injection vulnerability exists in XWEB Pro version 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An OS command injection vulnerability exists in XWEB Pro version 1
An OS command injection vulnerability exists in XWEB Pro version 1
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
WebSocket endpoints in OCPP-compliant charging infrastructure lack authentication, allowing unauthenticated attackers to impersonate charging stations...
WebSocket endpoints in OCPP-compliant charging infrastructure lack authentication, allowing unauthenticated attackers to impersonate charging stations and manipulate backend data.
---METADATA---
VENDOR: OCPP Infrastructure
PRODUCT: WebSocket Endpoint
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
WebSocket endpoints in OCPP-compliant charging infrastructure lack authentication, allowing unauthenticated attackers to impersonate charging stations and manipulate backend data.
Executive Summary:
Unauthenticated attackers can impersonate legitimate charging stations and manipulate critical infrastructure data due to a lack of authentication on OCPP WebSocket endpoints.
Vulnerability Details
CVE-ID: CVE-2026-25192
Affected Software: OCPP Infrastructure WebSocket Endpoint
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability involves a complete lack of authentication mechanisms for WebSocket endpoints using the Open Charge Point Protocol (OCPP). An unauthenticated attacker can connect to the backend using a discovered charging station identifier to issue or receive unauthorized commands.
Business Impact
The impact of this vulnerability is critical, as it allows for unauthorized control over electric vehicle charging infrastructure. Attackers could escalate privileges, disrupt charging services, or corrupt network data reported to the backend, leading to significant financial loss and reputational damage. The CVSS score of 9.4 reflects the high risk to the integrity and availability of the charging network.
Remediation Plan
Immediate Action: Apply the latest security updates provided by the vendor to implement mandatory authentication for all WebSocket connections.
Proactive Monitoring: Monitor WebSocket connection logs for unexpected identifiers or multiple connections originating from suspicious IP addresses.
Compensating Controls: Restrict access to the OCPP WebSocket endpoints using network-level access control lists (ACLs) or a VPN to ensure only known charging station IPs can connect.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Mar 20, 2026, there is no public information indicating active exploitation of this vulnerability. However, the lack of authentication makes this a trivial target for attackers who discover valid station identifiers.
Analyst Recommendation
This vulnerability represents a fundamental security failure in the charging infrastructure's communication layer. Organizations must prioritize the implementation of robust authentication for all OCPP communications. Immediate patching and the use of mutual TLS (mTLS) are strongly recommended to secure these endpoints against impersonation.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
The installer of FinalCode Client provided by Digital Arts Inc
The installer of FinalCode Client provided by Digital Arts Inc
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally
Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to elevate privileges over an adjacent network
Heap-based buffer overflow in Windows Telephony Service allows an unauthorized attacker to elevate privileges over an adjacent network
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally
Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges ov...
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally
Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Integer overflow or wraparound in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally
Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Null pointer dereference in Windows Performance Counters allows an authorized attacker to elevate privileges locally
Null pointer dereference in Windows Performance Counters allows an authorized attacker to elevate privileges locally
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
OpenEMR is a free and open source electronic health records and medical practice management application
OpenEMR is a free and open source electronic health records and medical practice management application
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs
---METADATA---
VENDOR: Alist
PRODUCT: Alist
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Alist, a file list program powered by Gin and Solidjs, contains a high-severity vulnerability that could lead to unauthorized file access or system compromise.
Executive Summary:
The Alist file list program is affected by a high-severity vulnerability that poses a critical risk to data confidentiality and server security.
Vulnerability Details
CVE-ID: CVE-2026-25161
Affected Software: Alist Alist
Affected Versions: See vendor advisory
Vulnerability: Alist is a versatile file list program supporting multiple storage backends. The vulnerability likely exists in the way the application handles storage requests or authentication, potentially allowing an attacker to bypass security controls and access restricted files or execute unauthorized commands.
Business Impact
A successful exploit could result in the exposure of all data stored across the various backends connected to Alist (e.g., cloud storage, local disks). The CVSS score of 8.8 indicates a High severity (bordering on Critical), reflecting the potential for significant data breaches and loss of control over sensitive storage environments.
Remediation Plan
Immediate Action: Update Alist to the latest available version immediately. If a patch is not yet available, consider disabling the service if it is exposed to the public internet.
Proactive Monitoring: Review application logs for unauthorized access attempts or unusual file download activity from unknown IP addresses.
Compensating Controls: Restrict access to the Alist web interface using a VPN or IP allowlisting, and ensure that the underlying storage credentials have the least amount of privilege necessary.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 5, 2026, there is no public information indicating active exploitation. However, because Alist is often used to aggregate multiple cloud storage accounts, it is a high-value target for attackers looking for sensitive data.
Analyst Recommendation
The 8.8 CVSS score makes this the highest-priority vulnerability in this batch. Organizations and individuals using Alist must apply updates immediately and audit their storage permissions to ensure that a compromise of the application does not lead to a total data breach.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Alist versions prior to 3.57.0 disable TLS certificate verification by default, exposing all outgoing storage driver communications to Man-in-the-Midd...
Alist versions prior to 3.57.0 disable TLS certificate verification by default, exposing all outgoing storage driver communications to Man-in-the-Middle (MitM) attacks and data theft.
---METADATA---
VENDOR: Alist
PRODUCT: Alist
AFFECTED_VERSIONS: Prior to version 3.57.0
---END_METADATA---
Description Summary:
Alist versions prior to 3.57.0 disable TLS certificate verification by default, exposing all outgoing storage driver communications to Man-in-the-Middle (MitM) attacks and data theft.
Executive Summary:
A critical security misconfiguration in Alist disables TLS verification by default, allowing attackers to intercept, decrypt, and manipulate sensitive data via Man-in-the-Middle attacks.
Vulnerability Details
CVE-ID: CVE-2026-25160
Affected Software: Alist File List Program
Affected Versions: Prior to version 3.57.0
Vulnerability: The application is configured to bypass TLS certificate verification for all outgoing storage driver communications by default. This allows a network-adjacent or positioned attacker to perform a Man-in-the-Middle (MitM) attack, compromising the integrity and confidentiality of data without requiring authentication.
Business Impact
The impact is severe (CVSS 9.1), as it permits the complete decryption and manipulation of user data transmitted to various storage providers. This could lead to the theft of sensitive credentials, unauthorized access to cloud storage, and large-scale data breaches, resulting in significant regulatory and legal liabilities.
Remediation Plan
Immediate Action: Upgrade Alist to version 3.57.0 or later, which enables TLS certificate verification by default for all storage drivers.
Proactive Monitoring: Inspect network traffic for unusual certificates or intercepted connections and review Alist logs for storage connection errors.
Compensating Controls: Ensure that Alist is deployed within a secure, encrypted network segment and use VPNs or dedicated tunnels for storage traffic where possible.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 4, 2026, there is no public information indicating active exploitation of this vulnerability. However, the default "insecure" state of the software makes it a high-value target for attackers in shared network environments.
Analyst Recommendation
Disabling TLS verification is a catastrophic failure of transport security. It is imperative that administrators update to version 3.57.0 immediately to restore the confidentiality and integrity of their data transfers.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2
A vulnerability was identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2
---METADATA---
VENDOR: Unidocs
PRODUCT: ezPDF DRM Reader / ezPDF Reader
AFFECTED_VERSIONS: 2.x (See vendor advisory for specific versions)
---END_METADATA---
Description Summary:
A vulnerability has been identified in Unidocs ezPDF DRM Reader and ezPDF Reader 2, which could allow for unauthorized code execution or data access.
Executive Summary:
A high-severity vulnerability in Unidocs ezPDF Reader products could allow an attacker to compromise the user's system through a specially crafted PDF document.
Vulnerability Details
CVE-ID: CVE-2026-2516
Affected Software: Unidocs ezPDF DRM Reader and ezPDF Reader
Affected Versions: Version 2 and potentially others; see vendor advisory for details.
Vulnerability: The vulnerability involves a flaw in how the ezPDF Reader handles specific document structures or DRM components. With a CVSS score of 7.0, it is likely that an attacker can achieve unauthorized actions by tricking a user into opening a malicious file.
Business Impact
Exploitation of this flaw could lead to the compromise of sensitive documents, unauthorized access to the host system, and the potential for malware installation. For organizations relying on these readers for DRM-protected content, this poses a significant risk to document confidentiality and endpoint security.
Remediation Plan
Immediate Action: Update all installations of ezPDF DRM Reader and ezPDF Reader to the latest patched version provided by Unidocs.
Proactive Monitoring: Monitor for unusual process activity originating from the PDF reader application and use endpoint detection and response (EDR) tools to identify malicious behavior.
Compensating Controls: Implement file-type filtering at the email gateway and advise users against opening PDF documents from untrusted or unknown sources.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 16, 2026, there is no public information indicating active exploitation. Document-based vulnerabilities remain a common vector for initial access in many cyberattacks.
Analyst Recommendation
The high severity of this vulnerability requires timely patching of all affected software. Administrators should ensure that the primary remediation is applied across all endpoints to mitigate the risk of a successful document-based attack.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
OpenClaw is a personal AI assistant
OpenClaw is a personal AI assistant
---METADATA---
VENDOR: OpenClaw
PRODUCT: OpenClaw
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
The OpenClaw personal AI assistant contains a high-severity vulnerability that could allow for unauthorized access or system manipulation.
Executive Summary:
A significant security flaw in the OpenClaw AI assistant could permit attackers to compromise the privacy and integrity of the user's personal assistant environment.
Vulnerability Details
CVE-ID: CVE-2026-25157
Affected Software: OpenClaw
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability in OpenClaw, a personal AI assistant, likely involves improper input validation or an authentication bypass. Given the CVSS score of 7.7, an unauthenticated or low-privileged attacker could potentially gain unauthorized access to the assistant's data or control its functions.
Business Impact
The impact of this vulnerability is high, as personal AI assistants often have access to sensitive user data, including schedules, communications, and integrated third-party accounts. A compromise could lead to significant privacy breaches, data exfiltration, and unauthorized actions performed on behalf of the user, resulting in severe personal or organizational risk.
Remediation Plan
Immediate Action: Apply the latest security patches for the OpenClaw assistant and review the assistant's permissions and integrated accounts for any signs of tampering.
Proactive Monitoring: Review access logs for the OpenClaw service to identify any connections from unrecognized IP addresses or unusual command patterns.
Compensating Controls: Isolate the AI assistant within a dedicated network segment and limit its access to sensitive internal resources until the patch is applied.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 5, 2026, there is no public information indicating active exploitation of this vulnerability. AI assistants are increasingly targeted due to the wealth of information they process.
Analyst Recommendation
Users and administrators of OpenClaw should prioritize the application of this security update. Given the high CVSS score and the sensitive nature of AI assistant data, immediate remediation is required to prevent unauthorized access to personal and corporate information.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
HotCRP is conference review software
HotCRP is conference review software
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node
Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A prototype pollution vulnerability in the Qwik City middleware's formToObj() function allows unauthenticated attackers to manipulate Object.prototype...
A prototype pollution vulnerability in the Qwik City middleware's formToObj() function allows unauthenticated attackers to manipulate Object.prototype via crafted HTTP POST requests.
---METADATA---
VENDOR: Builder.io
PRODUCT: Qwik City
AFFECTED_VERSIONS: Prior to version 1.19.0
---END_METADATA---
Description Summary:
A prototype pollution vulnerability in the Qwik City middleware's formToObj() function allows unauthenticated attackers to manipulate Object.prototype via crafted HTTP POST requests.
Executive Summary:
The Qwik City framework is vulnerable to a critical prototype pollution flaw that allows unauthenticated attackers to achieve privilege escalation, authentication bypass, or denial of service.
Vulnerability Details
CVE-ID: CVE-2026-25150
Affected Software: Builder.io Qwik City
Affected Versions: Prior to version 1.19.0
Vulnerability: This vulnerability resides in the formToObj() function within the @builder.io/qwik-city middleware. It fails to sanitize sensitive property names like __proto__ during dot-notation processing, allowing unauthenticated attackers to inject malicious properties into the global Object prototype.
Business Impact
A successful exploit poses a severe threat to application integrity and availability. Attackers can bypass security controls to gain unauthorized administrative access or crash the application environment entirely. Given the CVSS score of 9.3, this flaw represents a critical risk to any organization utilizing affected versions of the Qwik framework for production web applications.
Remediation Plan
Immediate Action: Update the @builder.io/qwik-city package to version 1.19.0 or later immediately to eliminate the insecure processing logic.
Proactive Monitoring: Review application logs for unusual HTTP POST requests containing dot-notation keys or reserved keywords such as __proto__ and constructor.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common prototype pollution payloads in request bodies.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Feb 3, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw and its location in a popular performance-focused framework, the potential for exploitation is high.
Analyst Recommendation
The severity of this prototype pollution vulnerability cannot be overstated, as it targets the foundation of the JavaScript runtime environment. IT administrators must prioritize the update to version 1.19.0. Failure to patch may result in complete application takeover or persistent denial of service.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
OpenEMR is a free and open source electronic health records and medical practice management application
OpenEMR is a free and open source electronic health records and medical practice management application
---METADATA---
VENDOR: OpenEMR
PRODUCT: OpenEMR
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
OpenEMR, an open-source medical practice management application, contains a security vulnerability that could lead to unauthorized access or data compromise.
Executive Summary:
A high-severity vulnerability in OpenEMR threatens the confidentiality and integrity of sensitive electronic health records and medical practice management data.
Vulnerability Details
CVE-ID: CVE-2026-25147
Affected Software: OpenEMR
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists within the OpenEMR application framework, a platform used for managing electronic health records (EHR). Based on the available summary, the flaw likely involves improper input validation or access control, potentially allowing an attacker to interact with sensitive medical records.
Business Impact
The impact of a successful exploit is severe, potentially resulting in the exposure of Protected Health Information (PHI), which leads to significant legal liabilities and HIPAA compliance violations. The CVSS score of 7.1 justifies the High severity rating, as a breach could result in both reputational damage and the loss of critical patient data integrity.
Remediation Plan
Immediate Action: Update OpenEMR to the latest patched version immediately. Review the official OpenEMR security advisories for specific version-level instructions.
Proactive Monitoring: Review application access logs for unauthorized logins or unusual data export activities, especially focusing on administrative and patient record modules.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rulesets specifically designed to block common web exploits such as SQL injection or cross-site scripting (XSS) that may target EHR platforms.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of March 1, 2026, there is no public information indicating active exploitation of this vulnerability. However, because OpenEMR is a public-facing application handling high-value data, the potential for exploitation remains a significant concern.
Analyst Recommendation
Given the sensitivity of the data handled by OpenEMR, this vulnerability must be addressed with the highest priority. We recommend that healthcare IT administrators apply the vendor-provided security updates immediately to prevent unauthorized access to patient health information.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
OpenEMR leaks gateway_api_key secrets in plaintext to the client, enabling unauthorized financial transactions and account takeovers of payment gatewa...
OpenEMR leaks gateway_api_key secrets in plaintext to the client, enabling unauthorized financial transactions and account takeovers of payment gateways.
---METADATA---
VENDOR: OpenEMR
PRODUCT: OpenEMR
AFFECTED_VERSIONS: 5.0.2 to before 8.0.0
---END_METADATA---
Description Summary:
OpenEMR leaks gateway_api_key secrets in plaintext to the client, enabling unauthorized financial transactions and account takeovers of payment gateways.
Executive Summary:
A critical information disclosure vulnerability in OpenEMR allows unauthenticated users to view sensitive payment gateway API keys, leading to potential financial fraud and data breaches.
Vulnerability Details
CVE-ID: CVE-2026-25146
Affected Software: OpenEMR
Affected Versions: 5.0.2 to before 8.0.0
Vulnerability: Two specific code paths in the application render the gateway_api_key secret value in plaintext to the client. This allows an unauthenticated attacker to capture these keys by simply accessing the affected application paths.
Business Impact
With a CVSS score of 9.6, this vulnerability poses a significant financial and regulatory risk. Exposure of payment gateway keys can lead to unauthorized money movement, broad account takeovers, and the compromise of Protected Health Information (PHI), potentially resulting in severe HIPAA violations and reputational damage.
Remediation Plan
Immediate Action: Upgrade OpenEMR to version 8.0.0 immediately. After upgrading, rotate all payment gateway API keys, as they must be considered compromised.
Proactive Monitoring: Review web server logs for access to the vulnerable paths and monitor payment gateway logs for unauthorized or suspicious transactions.
Compensating Controls: Use a Web Application Firewall (WAF) to block access to sensitive configuration paths and implement strict egress filtering for payment processing traffic.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Mar 3, 2026, there is no public information indicating active exploitation. However, the plaintext nature of the leak makes exploitation highly likely if an attacker identifies the specific paths.
Analyst Recommendation
Updating the software is only the first step; because the keys were exposed in plaintext, they must be rotated immediately to prevent ongoing unauthorized access to financial services.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
melange allows users to build apk packages using declarative pipelines
melange allows users to build apk packages using declarative pipelines
---METADATA---
VENDOR: Chainguard
PRODUCT: melange
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
A high-severity vulnerability in melange affects how declarative pipelines build apk packages, posing a significant risk to supply chain integrity.
Executive Summary:
The melange build tool contains a high-severity vulnerability that could allow for the compromise of apk package builds within declarative pipelines.
Vulnerability Details
CVE-ID: CVE-2026-25143
Affected Software: Chainguard melange
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability resides in the declarative pipeline processing engine of melange. While the specific mechanism is not detailed, the CVSS score of 7.8 suggests a significant flaw that could be triggered by an authenticated user with pipeline configuration privileges or through malicious build definitions.
Business Impact
This flaw poses a direct threat to the software supply chain by potentially allowing the injection of malicious code into legitimate apk packages. With a CVSS score of 7.8, the impact is high, as compromised packages could be distributed to downstream users, leading to widespread system compromises and severe reputational damage to the organization providing the software.
Remediation Plan
Immediate Action: Update melange to the latest patched version and re-validate all packages built using declarative pipelines since the vulnerability's introduction.
Proactive Monitoring: Audit build logs and pipeline definitions for unauthorized changes or anomalous build behaviors that deviate from established patterns.
Compensating Controls: Implement strict access controls on build environments and require multi-factor authentication for any changes to declarative pipeline configurations.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 5, 2026, there is no public information indicating active exploitation of this vulnerability. The risk remains high for organizations relying on melange for automated package generation and distribution.
Analyst Recommendation
Given the critical role melange plays in the modern software supply chain, this vulnerability must be addressed with high urgency. Organizations should apply the vendor-provided updates immediately to ensure the continued integrity and security of their apk package distribution pipelines.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain protot...
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
Executive Summary:
A critical vulnerability has been identified in the SandboxJS library, a tool designed to safely execute untrusted JavaScript code. This flaw allows an attacker to bypass the library's security restrictions and execute arbitrary code on the underlying server. Successful exploitation could lead to a complete system compromise, resulting in data theft, service disruption, or further network intrusion.
Vulnerability Details
CVE-ID: CVE-2026-25142
Affected Software: SandboxJS library
Affected Versions: Versions prior to 0.8.27
Vulnerability: The SandboxJS library fails to properly restrict access to the __lookupGetter__ JavaScript object method. An attacker can craft malicious JavaScript code that leverages this method to access and modify object prototypes. By manipulating the prototype chain, the attacker can gain access to powerful, unrestricted functions outside of the sandbox environment, such as the Function constructor, ultimately leading to a sandbox escape and remote code execution (RCE) on the host system.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 10. A successful exploit would grant an attacker the ability to execute commands on the server with the same privileges as the application running the SandboxJS library. This could lead to a complete loss of confidentiality, integrity, and availability of the affected system and its data. Potential consequences include theft of sensitive data, deployment of ransomware, manipulation of application data, or using the compromised server as a pivot point to attack other systems within the organization's network.
Remediation Plan
Immediate Action: All systems utilizing the SandboxJS library must be immediately updated to version 0.8.27 or later, which contains the fix for this vulnerability. After patching, review application and system logs for any signs of exploitation that may have occurred prior to the update.
Proactive Monitoring: Implement enhanced monitoring on affected systems. Security teams should look for suspicious patterns in logs, such as unexpected process creation by the application, unusual network connections, or logs of user-submitted JavaScript containing strings like __lookupGetter__, prototype, or constructor.
Compensating Controls: If immediate patching is not feasible, consider implementing the following compensating controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 2, 2026, there are no known public exploits targeting this vulnerability. However, given the critical CVSS score of 10 and the public disclosure of the vulnerability's technical details, it is highly probable that proof-of-concept exploits will be developed and released by security researchers or malicious actors in the near future.
Analyst Recommendation
Due to the critical severity (CVSS 10) of this vulnerability and the high risk of complete system compromise, immediate remediation is strongly recommended. Organizations must prioritize applying the update to version 0.8.27 or later across all affected applications without delay. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for widespread exploitation, and it should be treated with the highest urgency.
Update SandboxJS is a JavaScript sandboxing Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
apko allows users to build and publish OCI container images built from apk packages
apko allows users to build and publish OCI container images built from apk packages
---METADATA---
VENDOR: Chainguard
PRODUCT: apko
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Another high-severity vulnerability has been identified in the apko container build tool, impacting the security of OCI image generation.
Executive Summary:
A second high-severity vulnerability in apko further increases the risk of container image compromise during the automated build and publish phases.
Vulnerability Details
CVE-ID: CVE-2026-25140
Affected Software: Chainguard apko
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: Similar to CVE-2026-25121, this vulnerability in apko affects the OCI image build process. The CVSS score of 7.5 indicates a high-impact flaw, potentially allowing for the injection of unauthorized content or the modification of image metadata by an attacker with pipeline access.
Business Impact
The impact of this vulnerability is significant, as it could result in the deployment of compromised containers across the enterprise. This could lead to data exfiltration, service disruption, and the introduction of persistent backdoors within the production environment, significantly damaging the organization's security posture.
Remediation Plan
Immediate Action: Apply the latest security updates to apko and audit the integrity of all OCI images published during the period the vulnerability was present.
Proactive Monitoring: Monitor build pipeline logs for unauthorized package additions or changes to the image manifest during the build process.
Compensating Controls: Enforce strict role-based access control (RBAC) for the CI/CD environment and utilize automated security scanning for all generated container images.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 5, 2026, there is no public information indicating active exploitation of this vulnerability. Continuous monitoring of build tools is essential as they are high-value targets for attackers.
Analyst Recommendation
It is critical to apply the latest patches to apko to protect the software supply chain. Organizations must prioritize the security of their container build processes to prevent the introduction of vulnerabilities into their production cloud environments.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the d...
The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05.
Executive Summary:
A critical vulnerability exists in the NixOS package for the Odoo ERP and CRM system. This flaw exposes the database management interface to the public internet without any password protection, allowing an unauthenticated attacker to download or delete the entire business database, including all sensitive customer data and files. This could lead to a catastrophic data breach and complete disruption of business operations.
Vulnerability Details
CVE-ID: CVE-2026-25137
Affected Software: The NixOS package for Odoo
Affected Versions: Versions from 21.11 to before 25.11 and 26.05
Vulnerability: The vulnerability is an authentication bypass caused by a configuration issue specific to how Odoo is packaged on NixOS. The Odoo database manager, a powerful tool intended for development, is publicly exposed. On other operating systems, this interface is protected by a master password; however, due to the immutable nature of NixOS, Odoo is unable to save the auto-generated or manually set master password. Consequently, every time the Odoo service restarts, the password is lost, leaving the database manager completely unprotected. An unauthenticated attacker can simply navigate to the /web/database endpoint and gain full administrative control over the Odoo databases, allowing them to download, delete, or create backups of all data.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation would have a catastrophic impact on the business. An attacker could exfiltrate the entire database, leading to a massive data breach of sensitive information, including customer data, financial records, and proprietary business information. Furthermore, an attacker could delete the database, causing a complete and immediate loss of service and data, leading to severe operational disruption. The potential consequences include significant financial loss, severe reputational damage, loss of customer trust, and potential regulatory fines for data protection violations.
Remediation Plan
Immediate Action: Update The NixOs Odoo package is an open source ERP and CRM Multiple Products to the latest version. Specifically, organizations must upgrade to version 25.11, 26.05, or a later patched release that corrects the password persistence issue. After updating, administrators should verify that the database manager is no longer publicly accessible or is properly secured with a persistent master password.
Proactive Monitoring: Actively monitor web server access logs and Odoo application logs for any historical or current requests to the /web/database endpoint. System administrators should configure alerts for any access attempts to this path from untrusted IP addresses. Evidence of such requests should trigger an immediate incident response investigation to determine if a data breach has occurred.
Compensating Controls: If immediate patching is not feasible, implement a compensating control by using a reverse proxy or Web Application Firewall (WAF). Configure the device to explicitly block all external access to the /web/database URL path. Additionally, restrict network access to the Odoo instance via firewall rules, allowing connections only from trusted IP ranges.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of Feb 2, 2026, there are no known public exploit tools for this vulnerability. However, exploitation is trivial and does not require a specialized tool; an attacker only needs to know the URL of the vulnerable Odoo instance and navigate to the exposed database manager endpoint. Due to this simplicity, organizations should assume they are at high risk and investigate for signs of compromise immediately.
Analyst Recommendation
Given the critical CVSS score of 9.1 and the trivial nature of exploitation, this vulnerability poses a severe and immediate threat to any organization using an affected version of the NixOS Odoo package. We strongly recommend that organizations prioritize the immediate application of the security patches provided by the vendor. Although this CVE is not currently on the CISA KEV list, the high potential for a complete data breach and service disruption requires urgent attention. All affected systems should be patched and thoroughly audited for any signs of past compromise.
Update The NixOs Odoo package is an open source ERP and CRM Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
OpenEMR is a free and open source electronic health records and medical practice management application
OpenEMR is a free and open source electronic health records and medical practice management application
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Executive Summary:
A critical vulnerability has been identified in multiple OpenClaw products, assigned CVE-2026-25253 with a CVSS score of 8.8 (High). This flaw allows an unauthenticated remote attacker to execute arbitrary code, potentially leading to a complete system compromise. Organizations are urged to apply the vendor-supplied security updates immediately to prevent data theft, service disruption, and further network intrusion.
Vulnerability Details
CVE-ID: CVE-2026-25253
Affected Software: OpenClaw Multiple Products
Affected Versions: All versions of OpenClaw (aka clawdbot or Moltbot) released before 2026.
Vulnerability: This vulnerability is a remote code execution (RCE) flaw within the core processing engine of the OpenClaw software. A lack of proper input sanitization allows an unauthenticated attacker to send a specially crafted network request to the affected service. Successful exploitation enables the attacker to execute arbitrary commands on the underlying operating system with the privileges of the OpenClaw service account, leading to a full compromise of the host system.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could have a significant negative impact on the business. An attacker could exfiltrate sensitive corporate data, deploy ransomware, disrupt critical services reliant on OpenClaw, or use the compromised system as a beachhead to launch further attacks against the internal network. The potential consequences include financial loss, reputational damage, and regulatory penalties depending on the data compromised.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
If immediate patching is not feasible, implement the following controls to reduce risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 2, 2026, there is no known public proof-of-concept exploit code, and no active exploitation has been reported in the wild. However, due to the high severity and relative simplicity of exploiting similar vulnerabilities, it is highly likely that threat actors will develop an exploit in the near future.
Analyst Recommendation
Given the high CVSS score of 8.8, this vulnerability presents a critical risk to the organization. The immediate priority must be to apply the vendor-provided security patches to all affected systems. Although this CVE is not currently on the CISA KEV list, vulnerabilities with these characteristics are prime candidates for future inclusion once exploitation becomes widespread. Organizations should treat this vulnerability with the utmost urgency and proceed with the remediation plan without delay to prevent a potential compromise.