Athul Jayaram

**Name of the Vulnerable Software and Affected Versions** NEX-Forms – Ultimate Forms Plugin for WordPress versions prior to 9.1.13 **Description** Insufficient escaping of user-supplied parameters and lack of proper preparation in SQL queries allow authenticated attackers with administrator-level access or higher to perform time-based blind SQL Injection. This occurs via the `table` parameter, enabling the addition of malicious SQL queries to extract sensitive information from the database. **Recommendations** Update to a version later than 9.1.12. As a temporary workaround, restrict access to the `table` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.21 **Description** OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass in the `grep` tool within `tools.exec.safeBins`. This allows attackers to read arbitrary files by providing a pattern via the `-e` flag parameter. Attackers can include a positional filename operand to bypass file access restrictions and read sensitive files, such as `.env` files, from the working directory. The issue occurs because the validator consumes the pattern as a flag value, but still allows one positional operand, which can be a filename. The `tools.exec.safeBins` must include `grep` for the vulnerability to be exploitable. The vulnerable component is `src/infra/exec-safe-bin-policy.ts`, which configured `grep` with `maxPositional: 1` and allowed `-e` / `--regexp` value flags. An example of accepted input in vulnerable builds is `grep -e SECRET .env`. **Recommendations** Update OpenClaw to version 2026.2.21 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.22 **Description** OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution issue in the shell environment fallback mechanism. This occurs because the software trusts the unvalidated `SHELL` path from the host environment. An attacker with local environment access can inject a malicious `SHELL` variable to execute arbitrary commands with the privileges of the OpenClaw process. The issue arises from using `$SHELL -l -c 'env -0'` without validating that `SHELL` points to a trusted executable. The fix validates `SHELL` as an absolute normalized executable, prefers `/etc/shells`, applies trusted-prefix fallback checks, and safely falls back to `/bin/sh` when validation fails. The dangerous environment variable policy now also blocks `SHELL` overrides. **Recommendations** Update OpenClaw to version 2026.2.22 or later.

**Name of the Vulnerable Software and Affected Versions** Oracle Commerce Platform versions 11.3.0 through 11.3.2 **Description** The issue allows a low-privileged attacker with network access via HTTP to compromise the Oracle Commerce Platform. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. Attacks can result in unauthorized update, insert, or delete access to some Oracle Commerce Platform accessible data, as well as unauthorized read access to a subset of Oracle Commerce Platform accessible data. **Recommendations** For versions 11.3.0 through 11.3.2, update to a version that includes the fix for this issue to prevent unauthorized access to Oracle Commerce Platform data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.