Aggregator

A vulnerability categorized as problematic has been discovered in MervinPraison PraisonAI up to 4.5.127. Affected is the function _sanitize_html of the file src/praisonai/api.py of the component Flask API Endpoint. The manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2026-40112. The attack may be launched remotely. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in MervinPraison PraisonAIAgents up to 1.5.127. It has been rated as problematic. This impacts the function os.path.expandvars of the file shell_tools.py. The manipulation leads to exposure of sensitive information through environmental variables. This vulnerability is listed as CVE-2026-40153. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.

A vulnerability was found in OpenClaw up to 2026.3.21. It has been declared as critical. This affects an unknown function. Executing a manipulation can lead to incorrect behavior order. This vulnerability is tracked as CVE-2026-35637. The attack can be launched remotely. No exploit exists. It is recommended to upgrade the affected component.

A vulnerability was found in OpenClaw up to 2026.3.24. It has been classified as critical. The impacted element is an unknown function. Performing a manipulation results in authentication bypass using alternate channel. This vulnerability is identified as CVE-2026-35642. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability was found in OpenClaw up to 2026.3.21 and classified as critical. The affected element is an unknown function. Such manipulation leads to incorrect user management. This vulnerability is referenced as CVE-2026-35638. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability has been found in OpenClaw up to 2026.3.24 and classified as problematic. Impacted is the function session_status of the component Restrictions Handler. This manipulation causes incorrect behavior order. The identification of this vulnerability is CVE-2026-35636. It is possible to initiate the attack remotely. There is no exploit available. To fix this issue, it is recommended to deploy a patch.

HackerNews 编译，转载请注明出处： 广泛使用的第三方安卓软件开发工具包EngageLab SDK中一处已修复的安全漏洞细节曝光，该漏洞可能使数百万加密货币钱包用户面临风险。 微软Defender安全研究团队今日发布的报告中表示：“该缺陷允许同一设备上的应用绕过安卓安全沙箱，获取私有数据的未授权访问。” EngageLab SDK提供推送通知服务，据其网站介绍，旨在基于开发者已追踪的用户行为发送”及时通知”。集成至应用后，该SDK可发送个性化通知并驱动实时互动。 这家科技巨头称，大量使用该SDK的应用属于加密货币和数字钱包生态系统，受影响钱包应用安装量超过3000万。若计入基于同一SDK构建的非钱包应用，安装量突破5000万。 微软未透露应用名称，但指出所有检测到使用漏洞版本SDK的应用已从Google Play商店移除。经2025年4月负责任披露后，EngageLab于2025年11月发布5.2.1版本修复该漏洞。 该问题在4.5.4版本中被识别，被描述为意图重定向漏洞。安卓中的意图指用于向另一应用组件请求操作的消息对象。 意图重定向发生在脆弱应用发送的意图内容被利用其可信上下文（即权限）操纵时，以获取受保护组件的未授权访问、暴露敏感数据或在安卓环境内提升权限。 攻击者可通过设备上通过其他方式安装的恶意应用利用该漏洞，访问集成SDK应用关联的内部目录，导致敏感数据的未授权访问。 尚无证据表明该漏洞曾被恶意利用。尽管如此，建议集成该SDK的开发者尽快更新至最新版本，尤其考虑到上游库中即使是微小缺陷也可能产生连锁影响，波及数百万设备。 微软表示：”此案例显示第三方SDK中的弱点可能产生大规模安全影响，尤其在数字资产管理等高价值领域。应用日益依赖第三方SDK，形成庞大且往往不透明的供应链依赖。当集成暴露导出组件或依赖跨应用边界未验证的信任假设时，这些风险会增加。” 消息来源：thehackernews.com； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability, which was classified as problematic, was found in OpenClaw up to 2026.3.21. This issue affects some unknown processing of the component Configuration Handler. The manipulation results in incorrectly-resolved name. This vulnerability was named CVE-2026-35635. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in OpenClaw up to 2026.3.21. This vulnerability affects unknown code. The manipulation leads to reliance on untrusted inputs in a security decision. This vulnerability is uniquely identified as CVE-2026-35624. The attack is possible to be carried out remotely. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability classified as critical was found in OpenClaw up to 2026.3.22. This affects an unknown part of the component Signature Verification. Executing a manipulation can lead to authentication bypass by capture-replay. This vulnerability is handled as CVE-2026-35618. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability classified as problematic has been found in wolfSSL up to 5.9.0. Affected by this issue is some unknown functionality. Performing a manipulation results in out-of-bounds read. This vulnerability is known as CVE-2026-5393. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability described as problematic has been identified in wolfSSL up to 5.9.0. Affected by this vulnerability is the function PKCS7_VerifySignedData of the component PKCS7 Parser. Such manipulation leads to out-of-bounds read. This vulnerability is traded as CVE-2026-5392. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability marked as problematic has been reported in OpenClaw up to 2026.3.24. Affected is the function operator.admin. This manipulation causes incorrect use of privileged apis. This vulnerability appears as CVE-2026-35625. The attack requires local access. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in Juniper JSI LWC up to 3.0.93. This impacts an unknown function of the component Virtual Lightweight Collector. The manipulation results in permissive list of allowed inputs. This vulnerability is reported as CVE-2026-21915. The attack requires a local approach. No exploit exists. The affected component should be upgraded.

A vulnerability identified as problematic has been detected in nimiq core-rs-albatross up to 1.3.0. This affects the function Policy::supply_at of the file blockchain/src/reward.rs of the component Block Handler. The manipulation leads to improper validation of specified quantity in input. This vulnerability is documented as CVE-2026-40093. The attack can be initiated remotely. There is not any exploit available.

A vulnerability categorized as critical has been discovered in certificateswolfSSL up to 5.9.0. The impacted element is an unknown function of the file wolfcrypt/src/asn.c of the component Certificate Chain Handler. Executing a manipulation can lead to improper certificate validation. This vulnerability is registered as CVE-2026-5263. It is possible to launch the attack remotely. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability was found in MervinPraison PraisonAI up to 4.5.127. It has been rated as critical. The affected element is the function webhook_url of the file /api/v1/runs of the component HTTP POST Request Handler. Performing a manipulation results in server-side request forgery. This vulnerability is cataloged as CVE-2026-40114. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability was found in MervinPraison PraisonAIAgents up to 1.5.127. It has been declared as problematic. Impacted is the function read_skill_file of the file skill_tools.py. Such manipulation of the argument skill_path leads to missing authorization. This vulnerability is listed as CVE-2026-40117. The attack must be carried out locally. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability was found in MervinPraison PraisonAI up to 4.5.127. It has been classified as critical. This issue affects some unknown processing of the file deploy.py of the component Cloud Run Service. This manipulation of the argument openai_model/openai_key/openai_base causes argument injection. This vulnerability is tracked as CVE-2026-40113. The attack is restricted to local execution. No exploit exists. Upgrading the affected component is recommended.

A vulnerability was found in MervinPraison PraisonAIAgents up to 1.5.127 and classified as critical. This vulnerability affects the function subprocess.run of the file src/praisonai-agents/praisonaiagents/memory/hooks.py of the component Configuration Handler. The manipulation results in os command injection. This vulnerability is identified as CVE-2026-40111. The attack is only possible with local access. There is not any exploit available. It is suggested to upgrade the affected component.