This page collects WhisperX intelligence signals tagged #Security Vulnerability. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability has been identified in the extensions subsystem (TypeScript Plugins) of the Agent Runtime. The system currently has zero prompt injection detection, no system prompt protection, and no output filtering mechanisms in place. This architectural oversight creates a systemic enabler for mul...
A critical security vulnerability has been identified in OpenClaw (version 2026.2.3-1). Sub-agents created via the `sessions_spawn` function can completely bypass the configured execution approval mechanism. This flaw allows these sub-agents to execute arbitrary commands, including file write operations, without trigge...
A critical security vulnerability has been identified in the main.py file of the mycustomapp repository. The vulnerability stems from unsanitized user input being directly incorporated into SQL queries, creating a significant SQL injection risk. This flaw allows attackers to manipulate database queries, potentially byp...
A high-severity security vulnerability has been identified in the 'Web_Server Service' component. The vulnerability is classified as Cross-Site Scripting (XSS) under CWE-79 and falls under the OWASP A03:2021-Injection category. The core issue is that the process does not encode output, which creates a potential attack ...
A critical security vulnerability has been identified in a payment platform's API. The user update endpoint '/api/admin/users/:id' lacks any authentication or authorization checks, allowing any user to modify any user account without verification. This flaw directly violates PCI Requirement 7 for restricting access to ...
Deepin 社区在 V23 Beta3 测试集成通道中,紧急推送了 Intel 微码更新至版本 3.20240910.1。此次更新并非普通的功能修复,而是直接针对英特尔近期披露的两个高危安全漏洞,旨在为 Deepin 用户提供关键的系统级防护。 此次更新的核心是上游英特尔微码数据文件 20240910。它包含了对 INTEL-SA-01103(对应 CVE-2024-23984)的缓解措施,该漏洞存在于某些英特尔处理器的运行平均功率限制(RAPL)接口中,可能导致信息泄露。同时,它也缓解了 INTEL-SA-01097(对应 CVE-2024-24968),该漏洞可能在某些英特尔处理器上导致拒绝服务攻击。此外,更新还修复了多个处...
A critical security vulnerability in the NATS.io messaging server allows authenticated clients to redirect internal trace messages to any subject, bypassing standard publish permissions. The flaw, tracked as CVE-2026-33249, is present in versions prior to 2.12.6 and 2.11.15. While the payload is limited to valid trace ...
A critical security vulnerability in the NATS.io messaging server allows authenticated clients to bypass publish permissions and route internal trace messages to arbitrary subjects. The flaw, tracked as CVE-2026-33249, is present in versions prior to 2.12.6 and 2.11.15. While the payload is limited to a valid trace mes...
A critical authorization bypass has been identified in a smart contract's payout mechanism. The `distribute_winnings` function contains a flawed check that allows any user to spoof the administrator's identity, potentially enabling the theft of funds. The function manually asserts that the transaction `caller` is not t...
A critical security vulnerability has been identified in a web application's admin panel, where the administrator's JSON Web Token (JWT) is stored insecurely within the browser's `sessionStorage`. This storage mechanism is accessible to any JavaScript executing on the same page, creating a direct pathway for an attacke...
A critical security vulnerability has been identified in a backend application's configuration, where hardcoded, easily guessable default values for JWT secrets create a severe exposure risk. The flaw, located in the `backend/src/config/index.js` file, allows the system to fall back to these insecure defaults if the pr...
A security vulnerability has been identified in the backend server configuration, where the Content Security Policy (CSP) is weakened by the inclusion of `'unsafe-inline'` for style sources. This insecure setting, found in the `backend/src/server.js` file, creates a potential attack vector by permitting inline styles. ...
A critical SQL injection vulnerability has been identified within a Ruby on Rails application, exposing a direct path for attackers to execute arbitrary database commands. The flaw resides in a single line of code within the `app/controllers/users_controller.rb` file, where user input is unsafely concatenated into an S...
Two open redirect vulnerabilities have been identified within a codebase, creating a direct pathway for potential phishing attacks. The flaws, classified with medium severity, reside in two separate route files where user-controlled input is used to construct redirect URLs without proper validation. This allows attacke...
A critical security vulnerability has been identified in a key application file, exposing the system to potential arbitrary code execution by attackers. The flaw is a direct code injection vulnerability, classified as CWE-94 and OWASP A03:2021 - Injection, with a high confidence rating of 80%. The core of the issue lie...
A high-severity Cross-Site Scripting (XSS) vulnerability has been identified within a critical development configuration file. The flaw resides in a `document.write` call that directly incorporates user input without proper sanitization, creating a potential injection point for malicious scripts to execute in users' br...
一个存在于 gRPC-Go 库中的关键安全漏洞(CVE-2026-33186)已被确认,该漏洞允许攻击者在特定条件下绕过服务的授权控制。该漏洞影响所有低于 v1.79.3 版本的 `google.golang.org/grpc` 库。其核心风险在于,攻击者可以通过发送畸形的 HTTP/2 请求,利用对 `:path` 伪标头验证不当的缺陷,使请求路径绕过基于路径的授权策略检查,但仍能被路由到预期的处理程序。 该漏洞的利用条件较为苛刻,需要同时满足多个前提:服务必须运行 gRPC-Go 服务器;使用了基于路径的授权机制(如 `google.golang.org/grpc/authz` 或自定义拦截器);授权策略中包含了针对规范路径(...
A critical security vulnerability has been patched in the widely used Ruby JSON library, exposing applications to a format string injection attack. The flaw, tracked as CVE-2026-33210, was present in the `JSON.parse` method when used with the `allow_duplicate_key: false` option. This type of vulnerability can potential...
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in a GitHub repository's webhook system. The flaw allows a merchant to specify a webhook URL pointing to `127.0.0.1` or other loopback addresses, which could force the application's API to perform port scans against its own server instance....
A critical vulnerability in a core cryptographic library has been patched, exposing a flaw in how a widely-used elliptic curve processes specific inputs. The bug, tracked as CVE-2026-1229, resided in the `CombinedMult` function of Cloudflare's CIRCL library within its P-384 (secp384r1) curve implementation. This functi...