๐จ CVE-2026-0919
The HTTP parser of Tapo C210 v3, C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalidโURL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
๐@cveNotify
The HTTP parser of Tapo C210 v3, C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalidโURL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service.
๐@cveNotify
๐จ CVE-2026-4957
A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Gist
Incomplete API Key Masking in `function_handler.py` Leads to Sensitive Credential Disclosure via Logs and WebSocket
Incomplete API Key Masking in `function_handler.py` Leads to Sensitive Credential Disclosure via Logs and WebSocket - ISSUE-Github-REPORT-ApiKeyDisclosure.md
๐จ CVE-2026-4958
A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument interaction_id leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability has been found in OpenBMB XAgent 1.0.0. This affects the function ReplayServer.on_connect/ReplayServer.send_data of the file XAgentServer/application/websockets/replayer.py of the component WebSocket Endpoint. Such manipulation of the argument interaction_id leads to authorization bypass. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Gist
Insecure Direct Object Reference (IDOR) on `/ws/replay/` Endpoint Allows Any Authenticated User to Steal Third-Party API Keys fromโฆ
Insecure Direct Object Reference (IDOR) on `/ws/replay/` Endpoint Allows Any Authenticated User to Steal Third-Party API Keys from Other Users' Interactions - ISSUE-Github-REPORT-ReplayIDOR...
๐จ CVE-2026-5446
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.
๐@cveNotify
In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard.
๐@cveNotify
GitHub
Fix ARIA build issue and FIPS guard by embhorn ยท Pull Request #10111 ยท wolfSSL/wolfssl
Description
Fix FIPS gating of ARIA cipher IV calc and build issue with SM4 without ChaCha/Poly1305
Fixes zd21465
Testing
Local test
Checklist
added tests
updated/added doxygen
updated appropri...
Fix FIPS gating of ARIA cipher IV calc and build issue with SM4 without ChaCha/Poly1305
Fixes zd21465
Testing
Local test
Checklist
added tests
updated/added doxygen
updated appropri...
๐จ CVE-2026-5447
Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion. A heap buffer overflow occurs when converting an X.509 certificate internally due to incorrect size handling of the AuthorityKeyIdentifier extension.
๐@cveNotify
Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion. A heap buffer overflow occurs when converting an X.509 certificate internally due to incorrect size handling of the AuthorityKeyIdentifier extension.
๐@cveNotify
GitHub
Fix CertFromX509 copy length check by embhorn ยท Pull Request #10112 ยท wolfSSL/wolfssl
Description
Fix CertFromX509 by adding a length check before copy.
Fixes zd21470
Testing
Added test_x509_CertFromX509_akid_overflow
Checklist
added tests
updated/added doxygen
updated appropria...
Fix CertFromX509 by adding a length check before copy.
Fixes zd21470
Testing
Added test_x509_CertFromX509_akid_overflow
Checklist
added tests
updated/added doxygen
updated appropria...
๐จ CVE-2026-5263
URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.
๐@cveNotify
URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.
๐@cveNotify
GitHub
Enforce URI name constraints in ConfirmNameConstraints by anhu ยท Pull Request #10048 ยท wolfSSL/wolfssl
Fixes ZD21400
๐จ CVE-2026-5264
Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow.
๐@cveNotify
Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow.
๐@cveNotify
GitHub
Dtls13: ack management improvements by rizlik ยท Pull Request #10076 ยท wolfSSL/wolfssl
Improve DTLS 1.3 ACK record handling, enforcing record count limits. It also introduces comprehensive tests for these edge cases.
Added a strict upper bound (DTLS13_ACK_MAX_RECORDS) on the number ...
Added a strict upper bound (DTLS13_ACK_MAX_RECORDS) on the number ...
๐จ CVE-2026-41332
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.
๐@cveNotify
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.
๐@cveNotify
GitHub
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
## Summary
Host execution env sanitization did not block `GIT_TEMPLATE_DIR` or `AWS_CONFIG_FILE`, even though both can redirect trusted tooling to attacker-controlled content.
## Impact
An...
Host execution env sanitization did not block `GIT_TEMPLATE_DIR` or `AWS_CONFIG_FILE`, even though both can redirect trusted tooling to attacker-controlled content.
## Impact
An...
๐จ CVE-2026-41339
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
๐@cveNotify
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
๐@cveNotify
GitHub
Limit connect snapshot metadata to admin-scoped clients (#58469) ยท openclaw/openclaw@676b748
* fix(gateway): gate connect snapshot metadata by scope
* fix(gateway): clarify connect snapshot trust boundary
* fix(gateway): note connect snapshot change in changelog
* fix(gateway): remove c...
* fix(gateway): clarify connect snapshot trust boundary
* fix(gateway): note connect snapshot change in changelog
* fix(gateway): remove c...
๐จ CVE-2026-31612
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate EaNameLength in smb2_get_ea()
smb2_get_ea() reads ea_req->EaNameLength from the client request and
passes it directly to strncmp() as the comparison length without
verifying that the length of the name really is the size of the input
buffer received.
Fix this up by properly checking the size of the name based on the value
received and the overall size of the request, to prevent a later
strncmp() call to use the length as a "trusted" size of the buffer.
Without this check, uninitialized heap values might be slowly leaked to
the client.
๐@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate EaNameLength in smb2_get_ea()
smb2_get_ea() reads ea_req->EaNameLength from the client request and
passes it directly to strncmp() as the comparison length without
verifying that the length of the name really is the size of the input
buffer received.
Fix this up by properly checking the size of the name based on the value
received and the overall size of the request, to prevent a later
strncmp() call to use the length as a "trusted" size of the buffer.
Without this check, uninitialized heap values might be slowly leaked to
the client.
๐@cveNotify
๐จ CVE-2026-5941
Parsing logic flaws cause non-signature data to be misidentified as valid signatures when processing malformed form field hierarchies, leading to invalid memory writes and program crashes during internal data structure construction.
๐@cveNotify
Parsing logic flaws cause non-signature data to be misidentified as valid signatures when processing malformed form field hierarchies, leading to invalid memory writes and program crashes during internal data structure construction.
๐@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
๐จ CVE-2026-5942
Flaws in page lifecycle management allow document structure changes to desynchronize internal component states, causing subsequent operations to access invalidated objects and crash the program.
๐@cveNotify
Flaws in page lifecycle management allow document structure changes to desynchronize internal component states, causing subsequent operations to access invalidated objects and crash the program.
๐@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
๐จ CVE-2026-5943
Document structural anomalies caused inconsistencies between page element relationships and internal index states. When scripts triggered document modifications, object reference validity was not properly maintained, leading to a crash when accessing an invalid pointer during page information queries.
๐@cveNotify
Document structural anomalies caused inconsistencies between page element relationships and internal index states. When scripts triggered document modifications, object reference validity was not properly maintained, leading to a crash when accessing an invalid pointer during page information queries.
๐@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
๐จ CVE-2026-7233
A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet.
๐@cveNotify
A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet.
๐@cveNotify
Artifex
Artifex | Open Source Power, Enterprise Performance
Artifex builds open-source SDKs and librariesโlike Ghostscript, MuPDF, and PyMuPDFโto drive document workflows from printing to LLMs via code and APIs.
๐จ CVE-2026-7111
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption.
The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead.
Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
๐@cveNotify
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption.
The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead.
Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
๐@cveNotify
๐จ CVE-2025-56534
A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
๐@cveNotify
A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
๐@cveNotify
GitHub
GitHub - MarkArtamonov/OpenNebula-CVE-2025-56534: Stored XSS in OpenNebula v6.10.0.1
Stored XSS in OpenNebula v6.10.0.1. Contribute to MarkArtamonov/OpenNebula-CVE-2025-56534 development by creating an account on GitHub.
๐จ CVE-2026-3503
Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion.
This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.
๐@cveNotify
Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion.
This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.
๐@cveNotify
GitHub
ML-KEM/ML-DSA: harden against fault attacks by SparkiDev ยท Pull Request #9734 ยท wolfSSL/wolfssl
Description
ML-DSA: check pointer to the y parameter has not be faulted.
ML-KEM: to harden against faultiong, use a different buffer for private seed, sigma, and add a check that the buffer was cop...
ML-DSA: check pointer to the y parameter has not be faulted.
ML-KEM: to harden against faultiong, use a different buffer for private seed, sigma, and add a check that the buffer was cop...
๐จ CVE-2026-4159
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.
๐@cveNotify
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default.
๐@cveNotify
GitHub
Avoid one-byte read outside of allocated encrypted content buffer in wc_PKCS7_DecodeEnvelopedData() by holtrop-wolfssl ยท Pull Requestโฆ
Description
Fixes zd#21327
Testing
How did you test?
Checklist
added tests
updated/added doxygen
updated appropriate READMEs
Updated manual and documentation
Fixes zd#21327
Testing
How did you test?
Checklist
added tests
updated/added doxygen
updated appropriate READMEs
Updated manual and documentation
๐จ CVE-2026-31847
Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system.
๐@cveNotify
Hidden functionality in the /goform/setSysTools endpoint in Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 allows remote enablement of a Telnet service. By sending a crafted POST request with parameters such as telnetManageEn=true and telnetPwd, an authenticated attacker can activate a Telnet service on port 23. This exposes a privileged diagnostic interface that is not intended for external access and can be used to interact with the underlying system.
๐@cveNotify
๐จ CVE-2026-31848
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints.
๐@cveNotify
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecos_pw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid cookie value without proper authentication. This allows unauthorized administrative access to protected endpoints.
๐@cveNotify
๐จ CVE-2026-31849
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administratorโs browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.
๐@cveNotify
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an authenticated administratorโs browser, leading to unauthorized configuration changes, including enabling services or modifying system settings.
๐@cveNotify