0X5T

**Name of the Vulnerable Software and Affected Versions** vm2 versions prior to 3.10.5 **Description** A critical sandbox escape exists in the vm2 library, which is used to run untrusted JavaScript code in Node.js applications. This issue allows an attacker to break out of the restricted environment and achieve arbitrary code execution (RCE) in the host Node.js process. The flaw is specifically observed in Node.js version 25 (confirmed on v25.6.1 running on x64 Linux) when WebAssembly exception handling and JSTag support are enabled. Attackers can exploit this by passing specially crafted code to the `VM.run()` function. The exploitation involves manipulating WebAssembly exception handling using a `try table` construct combined with a `JSTag` catch handler. This mechanism intercepts JavaScript exceptions at the V8 engine's C++ level, bypassing vm2's JavaScript-level security controls and error management. By triggering a `TypeError` through Symbol-to-string coercion, an attacker can leak a host-realm error object into the sandbox. This object's constructor chain can then be used to access the host process object and execute system commands. This issue poses a significant risk to multi-tenant environments, plugin execution systems, continuous integration platforms, automation tools, and SaaS applications that execute user-supplied scripts. **Recommendations** Update to version 3.10.5 or later. As a temporary workaround, restrict or avoid passing untrusted input to the `VM.run()` function.

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.

**Name of the Vulnerable Software and Affected Versions** calibre versions 9.2.1 and below **Description** calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. A Path Traversal flaw exists in versions 9.2.1 and below, allowing arbitrary file writes where the user has write permissions. On Windows systems, this can lead to Remote Code Execution by writing a malicious payload to the Startup folder, which is then executed upon the next user login. The `extract pictures` function only verifies that file names start with 'Pictures' and does not properly sanitize '..' sequences. While calibre's `ZipFile.extractall()` function in utils/zipfile.py sanitizes '..' using ` get targetpath()`, the `extract pictures()` function bypasses this protection by using manual `zf.read()` and `open()` operations. **Recommendations** Update to calibre version 9.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** calibre versions 9.2.1 and below **Description** calibre is a cross-platform e-book manager used for viewing, converting, editing, and cataloging e-books. Versions 9.2.1 and below are susceptible to a Path Traversal issue through PDB readers, specifically both 132-byte and 202-byte header variants. This allows for arbitrary file writes with arbitrary extensions and content in locations where the user has write permissions. Files are written in 'wb' mode, which silently overwrites existing files. This can potentially lead to code execution and Denial of Service through file corruption. **Recommendations** Update to version 9.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw voice-call plugin versions prior to 2026.2.3 @clawdbot/voice-call versions through 2026.1.24 **Description** The voice-call plugin contains a flaw in webhook verification that allows remote attackers to bypass authentication by providing untrusted forwarded headers. Specifically, the issue arises when deployments implicitly trust forwarded headers such as `Forwarded` or `X-Forwarded-*`, enabling attackers to manipulate these headers and spoof webhook events. This can occur in reverse-proxy configurations where these headers are not overwritten by a trusted proxy. The root cause is the acceptance of untrusted forwarded headers during webhook verification. **Recommendations** Versions prior to 2026.2.3 should be upgraded to version 2026.2.3 or later. Versions through 2026.1.24 should be migrated to the `@openclaw/voice-call` package and upgraded to version 2026.2.3 or later. If an immediate upgrade is not possible, remove `Forwarded` and `X-Forwarded-*` headers at the network edge to prevent clients from directly supplying them.

**Name of the Vulnerable Software and Affected Versions** FastGPT versions prior to 4.14.7 **Description** FastGPT is an AI Agent building platform. The platform’s web page acquisition nodes and HTTP nodes initiate data acquisition requests from the server, presenting certain security concerns. The issue is addressed through stricter internal network address detection and internal network isolation in the deployment environment. **Recommendations** Update to version 4.14.7 or later.

**Name of the Vulnerable Software and Affected Versions** calibre versions prior to 9.2.0 **Description** calibre is an e-book manager. The CHM reader contains a path traversal flaw that permits arbitrary file writes in locations where the user possesses write access. On Windows operating systems, this can potentially result in Remote Code Execution by writing a malicious payload to the Startup folder, which is then executed upon the next user login. **Recommendations** Update to calibre version 9.2.0.

**Name of the Vulnerable Software and Affected Versions** calibre versions 9.1.0 and earlier **Description** calibre is an e-book manager. A path traversal flaw exists in the EPUB conversion process. A crafted EPUB file can potentially corrupt existing files that the calibre process has write access to. During conversion, calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even if the path is outside the designated conversion directory. The vulnerability involves resolving a URI to a filesystem path and opening it in read-write mode. **Recommendations** Update to version 9.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Cybersecurity AI (CAI) versions up to and including 0.5.10 **Description** The Cybersecurity AI (CAI) framework contains multiple argument injection vulnerabilities within its function tools. User-controlled input is directly passed to shell commands using `subprocess.Popen()` with `shell=True`, potentially allowing attackers to execute arbitrary commands on the host system. Specifically, the `find file()` function, located in `src/cai/tools/reconnaissance/filesystem.py`, is vulnerable because it executes without requiring user approval, as the `find` command is considered a "safe" pre-approved command. An attacker can exploit this by injecting malicious arguments, such as `-exec`, into the `args` parameter, bypassing safety mechanisms and achieving Remote Code Execution (RCE). The vulnerable command construction is: `command = f'find {file path} {args}'`. The `file path` and `args` variables are user-controlled inputs. **Recommendations** Versions up to and including 0.5.10 should be updated to a version containing commit e22a1220f764e2d7cf9da6d6144926f53ca01cde or later. As a temporary workaround, consider restricting or disabling the use of the `find file()` function until a patch is applied.