Curly-Haired-Baboon

OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.

**Name of the Vulnerable Software and Affected Versions** electerm versions prior to 3.9.5 **Description** Insecure sync encryption occurs due to the use of deterministic AES-192-CBC with a fixed zero IV (Initialization Vector), a constant KDF (Key Derivation Function) salt, and the absence of a MAC (Message Authentication Code). This leads to confidentiality and integrity failures for synced bookmark and profile data. Attackers can crack common passwords across different installations and perform undetected ciphertext bit-flips to alter configurations and bookmarks. **Recommendations** Update to version 3.9.5.

**Name of the Vulnerable Software and Affected Versions** electerm versions prior to 3.8.9 **Description** Persistent local-pty code execution is possible through the import of bookmark JSON files or compromised synchronization targets such as gist or WebDAV. An attacker can inject `exec*` fields or global configuration settings to trigger remote code execution when a bookmark is opened or when synchronization is applied. **Recommendations** Avoid importing unsafe data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** electerm versions 3.0.6 through 3.8.8 **Description** A local code execution issue exists where any process running under the same user can send a JSON payload to the single-instance socket or pipe of the application. This allows an attacker to create tabs and potentially spawn local processes under their control without requiring user interface interaction. This affects installations configured as single-instance on the machine. **Recommendations** Update to version 3.9.0. Avoid running unsafe commands as a workaround.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.7.0 **Description** The software fails to escape HTML when storing and rendering Attribute View (AV) names. The kernel stores these names without escaping and uses a raw string replacement to embed them in HTML before sending them to clients via WebSocket. This allows for HTML injection through three client paths: `render.ts` (via `outerHTML`), `Title.ts` (via `innerHTML`), and `transaction.ts` (via `innerHTML`). Because the main BrowserWindow is configured with `nodeIntegration: true`, `contextIsolation: false`, and `webSecurity: false`, this HTML injection can be escalated to Node.js code execution (RCE) on the victim's desktop. The payload is persistent, as it is stored on disk, replicates through sync transports (S3, WebDAV, cloud), and survives export-import processes. It can be triggered by any user role opening a document bound to the affected AV. Technical details include the use of the `/api/transactions` endpoint with the `setAttrViewName` action to plant the payload. The vulnerability is reachable via local-origin requests, including those from allowlisted `chrome-extension://` origins, allowing malicious browser extensions to execute the attack. **Recommendations** Update to version 3.7.0. As a temporary mitigation, restrict access to the `/api/transactions` endpoint or avoid importing `.sy.zip` files from untrusted sources.

**Name of the Vulnerable Software and Affected Versions** electerm versions 3.0.6 through 3.8.14 **Description** Arbitrary local code execution can occur via deep links, CLI `--opts`, or crafted shortcuts. This happens when a user clicks a crafted `electerm://...` link or opens a crafted shortcut or command that launches the application with attacker-controlled `opts`. **Recommendations** Update to version 3.8.15. Disable or unregister electerm protocol handlers (Deep Link settings) and avoid clicking `electerm://` links. Avoid running the application with untrusted `--opts` arguments or opening `.lnk` or `.desktop` files from untrusted sources. Restrict which users can launch the application on shared machines and avoid installing it in locations reachable by other users. Run the application in a confined account or sandbox (non-admin user) to reduce impact.

**Name of the Vulnerable Software and Affected Versions** PraisonAI versions prior to 4.6.34 **Description** The Model Context Protocol (MCP) server in PraisonAI contains a path traversal flaw in its file-handling tools. The server registers four tools by default: 'praisonai.rules.create', 'praisonai.rules.show', 'praisonai.rules.delete', and 'praisonai.workflow.show'. These tools accept path or filename strings via the `tools/call` endpoint and join them to the `~/.praison/rules/` directory (or accept absolute paths in the case of 'praisonai.workflow.show') without performing containment checks. Additionally, the JSON-RPC dispatcher passes `params["arguments"]` to handlers via `**kwargs` without validating them against the input schema. An attacker can use the `rule name` variable with traversal sequences (e.g., `../../`) to read, write, or delete any file the running user has permissions for. This can be escalated to arbitrary code execution by writing a Python `.pth` file into the user site-packages directory, which is then executed by any subsequent Python process spawned by the user. This issue can be triggered via an MCP-connected LLM through indirect prompt injection (e.g., malicious web content), or via the `praisonai mcp serve --transport http-stream` endpoint, which defaults to no authentication on loopback. **Recommendations** Update to version 4.6.34. As a temporary workaround, restrict access to the loopback interface or ensure the `--api-key` flag is used when running the MCP server with HTTP-stream transport to prevent unauthenticated access.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.7.0 **Description** An issue exists in the tooltip mouseover handler where the software reads the `aria-label` attribute and processes it using `decodeURIComponent` before assigning the result to `messageElement.innerHTML`. The encoder `escapeAriaLabel()` only handles standard HTML special characters and ignores `%XX` URL-escapes. Consequently, a document title containing URL-encoded characters (e.g., `%3Cimg src=x onerror=...%3E`) bypasses the encoder and is converted into literal HTML tags by `decodeURIComponent` during the rendering process. When assigned to `innerHTML`, the HTML parser executes the injected script. Because the renderer is configured with `nodeIntegration: true`, `contextIsolation: false`, and `webSecurity: false`, the injected handler can access `require('child process')`, leading to arbitrary code execution on the victim's desktop. This can be triggered by hovering over search results, file-tree tooltips, or AV column names and descriptions. **Recommendations** Update to version 3.7.0. As a temporary workaround, restrict the use of the `innerHTML` property in `app/src/dialog/tooltip.ts` by replacing it with `textContent` to prevent HTML parsing of tooltip messages. Avoid using `decodeURIComponent` on generic `aria-label` paths in `app/src/block/popover.ts`.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM is an open-source church management system. A stored cross-site scripting issue exists in the `PersonView.php` file because of the incorrect use of `sanitizeText()` as an output sanitizer for an HTML attribute context. The function only removes HTML tags and does not escape quote characters, allowing an attacker to break out of the `href` attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS is triggered against any user who views that person's profile page, including administrators, potentially enabling session hijacking and full account takeover. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, contains a SQL injection issue in the `PropertyTypeEditor.php` file, which is part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The issue arises from replacing the `legacyFilterInput()` function, which both strips HTML and escapes SQL, with `sanitizeText()`, which only strips HTML. This allows authenticated users with the MenuOptions role to perform time-based blind injection and potentially access all data within the database, including password hashes. Recommendations Update to version 7.1.0 or later.