CRITICAL9.0CVE-2026-55203HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgi_conn structure's drl field that allo…
MEDIUM5.3A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame.
LOW1.8A flaw in Node.js Permission Model enforcement allows Bypass via `process.report.writeReport()` Path Misvalidation.
HIGH8.8An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in…
—
—NILFS utilities through 2.3.0, fixed in commit 26efb5d, nilfs_sb_is_valid() function fails to validate s_log_block_size field in NILFS2 sup…
—
—HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpack_dht_insert() within src/hpack-tb…
—
—
—
—
—
—
—
MEDIUM5.8Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
CRITICAL9.8gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
—OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state
MEDIUM5.4OpenClaw: Empty-scope device re-pairing could confuse caller scope containment
HIGH7.1OpenClaw: Workspace-derived service PATH could influence trash command selection
HIGH7.1OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots
HIGH8.1OpenClaw: Discord allowFrom could bind to mutable display names
—OpenClaw: Focus command could miss controlScope enforcement
HIGH7.1OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install