Hackerman70000

**Name of the Vulnerable Software and Affected Versions** container versions prior to 0.12.3 **Description** Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. **Recommendations** Update to version 0.12.3.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 5.2.13.0 and earlier, versions 6.0 and 6.2.0 and earlier **Description** The Mattermost Desktop App does not properly validate help links. This allows a malicious Mattermost server to execute arbitrary executables on a user’s system when a user clicks on specific items within the Help menu. The issue involves unvalidated server-controlled URLs in the Help menu. **Recommendations** Update Mattermost to a version later than 5.2.13.0. Update Mattermost to a version later than 6.0. Update Mattermost to a version later than 6.2.0.

**Name of the Vulnerable Software and Affected Versions** Axios versions prior to 0.30.3 Axios versions prior to 1.13.5 **Description** The `mergeConfig()` function in Axios crashes with a TypeError when processing configuration objects that contain ` proto ` as an own property. This occurs because when ` proto ` is present (for example, when created via `JSON.parse()`), the function performs a prototype chain lookup that returns `Object.prototype` instead of a function, leading to a crash. A remote attacker can exploit this by providing a malicious configuration object, resulting in a complete denial of service. This issue affects Node.js servers and any backend that passes user-controlled JSON to Axios configuration methods. **Recommendations** Update to version 0.30.3 or later. Update to version 1.13.5 or later. As a temporary workaround, avoid passing user-controlled input directly into the Axios configuration object, specifically ensuring that input parsed via `JSON.parse()` is validated to remove the ` proto ` property before being processed by `mergeConfig()`.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.1.20 **Description** An unauthenticated local client could leverage the Gateway WebSocket API to modify configuration settings through the `config.apply` function. Specifically, the ability to set unsafe `cliPath` values, which are subsequently used for command discovery, allows for command injection with the privileges of the gateway user. The `config.apply` function accepted raw JSON and wrote it to disk after schema validation. The `cliPath` values were not restricted to safe executable names or paths. Command discovery utilized a shell invocation when resolving executables. **Recommendations** Upgrade to version 2026.1.20 or later. If an immediate upgrade is not possible, enable `gateway.auth` and avoid using custom `cliPath` values.

**Name of the Vulnerable Software and Affected Versions** Kimi Agent SDK versions prior to 0.1.6 **Description** The Kimi Agent SDK libraries expose the Kimi Code agent runtime in applications. The `vsix-publish.js` and `ovsx-publish.js` scripts pass filenames to the `execSync()` function as shell command strings. Filenames containing shell metacharacters, such as `$(cmd)`, could potentially execute arbitrary commands. This issue is present only in the repository’s development scripts and does not affect published VSCode extensions. The scripts utilize the `execSync()` function with filenames as arguments, which allows for command injection. **Recommendations** Update to version 0.1.6 or later, which replaces `execSync` with `execFileSync` using array arguments. Ensure .vsix files in the project directory have safe filenames before running publish scripts.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.28.0 **Description** FreshRSS utilizes weak random number generators (`mt rand()` and `uniqid()`) for creating remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, potentially leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are used for the "keep me logged in" feature. **Recommendations** Update to version 1.28.0 or later.