π¨ CVE-2026-55568
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
π@cveNotify
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
π@cveNotify
GitHub
Silent HTTPS-Proxy Downgrade to Cleartext in guzzlehttp/guzzle
### Impact
The built-in cURL handlers (`GuzzleHttp\Handler\CurlHandler` and `GuzzleHttp\Handler\CurlMultiHandler`, used by default whenever the PHP cURL extension is available) accept an `https:...
The built-in cURL handlers (`GuzzleHttp\Handler\CurlHandler` and `GuzzleHttp\Handler\CurlMultiHandler`, used by default whenever the PHP cURL extension is available) accept an `https:...
π¨ CVE-2026-55766
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example with Message::toString() or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached through Message::parseRequest() or Message::parseResponse() when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again. Creating or modifying a Request, Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This vulnerability is fixed in 2.12.1.
π@cveNotify
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x, for example with Message::toString() or an equivalent serializer, the serialized message could contain attacker-controlled header lines. The issue can also be reached through Message::parseRequest() or Message::parseResponse() when malformed raw messages are parsed into first-party PSR-7 objects and then serialized again. Creating or modifying a Request, Response, or other PSR-7 object alone is not sufficient. The issue requires the malformed message to be serialized and written to the network, forwarded, replayed, or otherwise processed by software that does not independently reject the malformed start line. This vulnerability is fixed in 2.12.1.
π@cveNotify
GitHub
CRLF Injection in HTTP Start-Line Serialization in guzzlehttp/psr7
### Impact
`guzzlehttp/psr7` did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application pl...
`guzzlehttp/psr7` did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application pl...
π¨ CVE-2026-55767
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.
π@cveNotify
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.
π@cveNotify
GitHub
Dot-Only Cookie Domains Match All Hosts in guzzlehttp/guzzle
### Impact
`CookieJar` incorrectly accepts cookies with a dot-only `Domain` attribute, such as `Domain=.`, `Domain=..`, `Domain=...`, and whitespace-padded variants such as `Domain= . `. In affe...
`CookieJar` incorrectly accepts cookies with a dot-only `Domain` attribute, such as `Domain=.`, `Domain=..`, `Domain=...`, and whitespace-padded variants such as `Domain= . `. In affe...
π¨ CVE-2026-56402
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response payloads without proper role validation.
π@cveNotify
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response payloads without proper role validation.
π@cveNotify
GitHub
Merge pull request #2478 from Hinotoi-agent/security/approval-respons⦠· nanocoai/nanoclaw@6227bd1
β¦e-admin-authz
[security] fix(approvals): require admin for approval responses
[security] fix(approvals): require admin for approval responses
π¨ CVE-2026-56692
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.
π@cveNotify
NanoClaw before 2.1.17 contains a symlink following vulnerability in forwardAttachedFiles that allows container-controlled agents to exfiltrate host-readable files. The host validates attachment filenames using only isSafeAttachmentName before copying with fs.copyFileSync, which follows symlinks without containment checks, allowing malicious agents to disclose arbitrary host files.
π@cveNotify
GitHub
Merge pull request #2468 from Hinotoi-agent/security/a2a-attachment-s⦠· nanocoai/nanoclaw@28032bc
β¦ymlink-guard
[security] fix(agent-route): reject unsafe forwarded attachments
[security] fix(agent-route): reject unsafe forwarded attachments
π¨ CVE-2026-56693
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the create_agent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke create_agent to create arbitrary agent groups, container configurations, and destinations, escalating beyond their intended confinement boundary.
π@cveNotify
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the create_agent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke create_agent to create arbitrary agent groups, container configurations, and destinations, escalating beyond their intended confinement boundary.
π@cveNotify
GitHub
Merge pull request #2720 from nanocoai/security/authorize-create-agent Β· nanocoai/nanoclaw@ac37ecb
security: authorize create_agent host-side (approval for confined groups)
π¨ CVE-2026-56695
OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.
π@cveNotify
OpenHarness ohmo gateway /resume and /summary slash commands default remote_invocable to True, allowing admitted remote senders to enumerate and load arbitrary session snapshots by ID. Attackers can exploit this to access victim snapshots containing private prompts, credentials, tool output, and file paths via shared gateway channels.
π@cveNotify
GitHub
Merge branch 'pr-276' into codex/pr-merge-test-20260524 Β· HKUDS/OpenHarness@92e2988
"OpenHarness: Open Agent Harness with a Built-in Personal Agent--Ohmo!" - Merge branch 'pr-276' into codex/pr-merge-test-20260524 Β· HKUDS/OpenHarness@92e2988
π¨ CVE-2026-56696
OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior.
π@cveNotify
OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior.
π@cveNotify
GitHub
Merge branch 'pr-272' into codex/pr-merge-test-20260524 Β· HKUDS/OpenHarness@27bb93b
"OpenHarness: Open Agent Harness with a Built-in Personal Agent--Ohmo!" - Merge branch 'pr-272' into codex/pr-merge-test-20260524 Β· HKUDS/OpenHarness@27bb93b
π¨ CVE-2025-13162
Uncontrolled Search Path Element vulnerability in ABB Control Builder A, ABB 800xA for Advant Master.
This issue affects Control Builder A: through 1.4/4; 800xA for Advant Master: through 6.0.3-1, through 6.1.1-1, 6.1.1-3, 6.2.0-1.
π@cveNotify
Uncontrolled Search Path Element vulnerability in ABB Control Builder A, ABB 800xA for Advant Master.
This issue affects Control Builder A: through 1.4/4; 800xA for Advant Master: through 6.0.3-1, through 6.1.1-1, 6.1.1-3, 6.2.0-1.
π@cveNotify
π¨ CVE-2025-61018
An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `sqlo_place_dt_set` Β· Issue #1224 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 REAL NULL CHECK( 2 = 2 ) ) ; UPDATE v0 SET v1 = 2 WHERE ( SELECT v1 v1 ) IN ( SELECT...
π¨ CVE-2025-61019
An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the sqlo_key_part_best component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `sqlo_key_part_best` Β· Issue #1222 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 DECIMAL NOT NULL PRIMARY KEY CHECK ( v1 = v1 AND v1 = v1 AND v1 = v1 ) UNIQUE ) ; CR...
π¨ CVE-2025-61020
An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `sqlo_strip_in_join` Β· Issue #1225 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 nvarchar ) ; UPDATE v0 SET v1 = v1 + 1 WHERE v1 IN ( SELECT xmlagg ( ABS ( 9 ) ) FRO...
π¨ CVE-2025-61021
An issue in the sqlo_natural_join_cond component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the sqlo_natural_join_cond component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `sqlo_natural_join_cond` Β· Issue #1223 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 INT NOT NULL NOT NULL NOT NULL CHECK ( v1 ) , v2 INT UNIQUE NOT NULL , v3 INT UNIQUE...
π¨ CVE-2025-61022
An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the sqlo_tb_col_preds component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `sqlo_tb_col_preds` Β· Issue #1226 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v2 ( v3 INTEGER ) ; SELECT * FROM v2 LEFT JOIN v2 AS constraintdef ON v2 . v3 = v2 . v3 AND ...
π¨ CVE-2025-61023
An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `st_compare` Β· Issue #1230 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 INTEGER CHECK ( ( SELECT ( SELECT v1 + v1 AS b_plus_one ) ) ) ) ; INSERT INTO v0 SEL...
π¨ CVE-2025-61025
An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `sslr_qst_get` Β· Issue #1229 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE x ( x INT PRIMARY KEY CHECK ( CASE WHEN x = ( SELECT x FROM x WHERE ( 'x' ) GROUP BY...
π¨ CVE-2025-61027
An issue in the t_set_push component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the t_set_push component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `t_set_push` Β· Issue #1232 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 DATE NULL ) ; UPDATE v0 SET v1 = v1 + 2 WHERE v1 IN ( SELECT v1 , SUM ( v1 ) AS zero...
π¨ CVE-2025-61028
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
π@cveNotify
GitHub
Fuzzer: Virtuoso 7.2.11 crashed at `time_t_to_dt` Β· Issue #1233 Β· openlink/virtuoso-opensource
The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image. CREATE TABLE v0 ( v1 DATE NULL ) ; INSERT INTO v0 ( v1 , v1 ) VALUES ( 72057594037927935 , '-675 seco...
π¨ CVE-2026-11940
tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself.
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory.
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330.
π@cveNotify
tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself.
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory.
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330.
π@cveNotify
GitHub
`tarfile.extractall(filter='data')` allows symlink escape through hardlink-extraction fallback Β· Issue #151558 Β· python/cpython
More details to follow - patience is bitter, but its fruit is sweet. ;-) Linked PRs gh-151559 gh-151997 gh-151998 gh-151999 gh-152000 gh-152001
π¨ CVE-2026-12957
Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted.
To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
π@cveNotify
Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted.
To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
π@cveNotify
π¨ CVE-2026-12958
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.
To remediate this issue, users should upgrade to version 1.69.0 or higher.
π@cveNotify
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.
To remediate this issue, users should upgrade to version 1.69.0 or higher.
π@cveNotify