Davidgilmore

**Name of the Vulnerable Software and Affected Versions** HKUDS AI-Trader versions prior to 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65 **Description** An issue in the Research Export component allows remote attackers to perform a manipulation that results in information disclosure. This affects the '/api/research/agents.csv' endpoint. **Recommendations** Apply patch 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65. Restrict access to the '/api/research/agents.csv' endpoint to only authenticated agents with the `research exports` capability.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.12 **Description** An improper authentication issue exists in the bluebubbles Webhook component within the `handleBlueBubblesWebhookRequest()` function of the `extensions/bluebubbles/src/monitor.ts` file. This flaw allows a remote attacker to perform a manipulation that bypasses authentication. **Recommendations** Upgrade to version 2026.2.12. As a temporary workaround, restrict access to the `handleBlueBubblesWebhookRequest()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** AstrBotDevs AstrBot versions prior to 4.16.1 **Description** The Dashboard component contains hard-coded credentials within the file `astrbot/dashboard/routes/auth.py`. This flaw allows a remote attacker to gain unauthorized access to the system. **Recommendations** Update to a version later than 4.16.0. Restrict access to the `astrbot/dashboard/routes/auth.py` authentication routes to minimize the risk of unauthorized access.

A vulnerability was detected in p2r3 convert up to 6998584ace3e11db66dff0b423612a5cf91de75b. Affected is the function Bun.serve of the file buildCache.js of the component API. Performing a manipulation of the argument pathname results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

**Name of the Vulnerable Software and Affected Versions** usememos memos versions prior to 0.22.2 **Description** Improper authorization occurs in the UpdateInstanceSetting component within the file src/App.tsx. Specifically, manipulating the `additionalStyle` or `additionalScript` arguments in the `memos access token()` function allows for remote attacks. **Recommendations** Update to a version newer than 0.22.1. As a temporary workaround, restrict access to the `memos access token()` function or avoid using the `additionalStyle` and `additionalScript` arguments until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** rowboat versions prior to 0.1.68 **Description** Improper authentication occurs in the tools webhook component within the `tool call()` function of the 'apps/experimental/tools webhook/app.py' file. A remote attacker can manipulate the `X-Tools-JWE` argument to bypass authentication mechanisms. **Recommendations** Update to a version newer than 0.1.67. As a temporary workaround, restrict access to the `tool call()` function or the 'apps/experimental/tools webhook/app.py' file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions danielmiessler Personal AI Infrastructure versions prior to 2.3.1 Description A flaw exists in danielmiessler Personal AI Infrastructure up to version 2.3.0. The issue resides in an unknown function within the Skills/Parser/Tools/parse url.ts file and allows for os command injection through manipulation. This can be triggered remotely. The exploit has been publicly disclosed. Recommendations Update to version 2.3.1 or later.