Hinotoi-Agent

Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.

CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission.

CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain.

**Name of the Vulnerable Software and Affected Versions** Summarize versions prior to 0.14.1 **Description** The software creates the daemon configuration directory and file using default filesystem permissions that may be world-readable on Unix-like systems. This allows local attackers to read the `~/.summarize/daemon.json` file, which contains bearer tokens and persisted provider API credentials. By exploiting these permissive permissions, an attacker can gain unauthorized access to the daemon or recover sensitive API keys. **Recommendations** Update to the version containing commit 0cfb0fb.

**Name of the Vulnerable Software and Affected Versions** Crabbox versions prior to 0.9.0 **Description** An authentication bypass exists in the coordinator user-token verification path. The `verifyUserToken()` function fails to reject payloads containing an admin claim, which allows attackers to escalate privileges. An attacker with access to a shared non-admin token can craft a user-token payload with the `admin` variable set to `true`, sign it using HMAC-SHA256 (a cryptographic hash function used for verifying data integrity), and access admin-only coordinator routes. This provides full coordinator admin access, including lease visibility, pool state management, and forced release operations. **Recommendations** Update to version 0.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** FastGPT versions prior to 4.14.17 **Description** An inconsistent Server-Side Request Forgery (SSRF) protection gap exists in the handling of Model Context Protocol (MCP) tool URLs. While direct preview and run endpoints reject internal or private network URLs, the endpoints used to create or update MCP tools allow the storage of internal MCP server URLs. These stored URLs can subsequently be used by the workflow execution process without further validation of the destination. An authenticated user with permissions to manage MCP toolsets can store an internal endpoint, such as `http://localhost:3000/mcp`, causing the backend workflow runner to connect to that internal destination. **Recommendations** Update to version 4.14.17.

**Name of the Vulnerable Software and Affected Versions** NanoClaw (affected versions not specified) **Description** A host/container filesystem boundary issue exists in outbound attachment handling and outbox cleanup. A compromised or prompt-injected container can read files outside the intended outbox directory by providing crafted `messages out.id` and `content.files` values or by creating symlinked outbox files. This can lead to host-side reads of arbitrary files and, in certain instances, recursive deletion of paths outside the intended cleanup target. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** radare2 versions prior to 6.1.4 **Description** A path traversal issue in project deletion allows local attackers to recursively delete arbitrary directories. By supplying absolute paths that escape the configured `dir.projects` root directory, attackers can target project marker files outside the project storage boundary. This action results in the recursive deletion of chosen directories using the permissions of the radare2 process, leading to loss of integrity and availability. **Recommendations** Update to version 6.1.4 or later.

**Name of the Vulnerable Software and Affected Versions** Hermes WebUI (affected versions not specified) **Description** An arbitrary file deletion issue exists in the '/api/session/delete' endpoint. Authenticated attackers can delete files outside the session directory by providing an absolute path or path traversal payload in the `session id` parameter. This occurs because unvalidated session identifiers allow the construction of paths that bypass the SESSION DIR boundary, enabling the deletion of writable JSON files on the host system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

HKUDS OpenHarness prior to PR #156 remediation exposes plugin lifecycle commands including /plugin install, /plugin enable, /plugin disable, and /reload-plugins to remote senders by default. Attackers who gain access through the channel layer can remotely manage plugin trust and activation state, enabling unauthorized plugin installation and activation on the system.

**Name of the Vulnerable Software and Affected Versions** OpenViking versions prior to commit c7bb167 **Description** An authentication bypass exists in the VikingBot OpenAPI HTTP route surface. The issue occurs when the `api key` configuration value is unset or empty, causing the authentication check to fail open. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid 'X-API-Key' header. This allows for the submission of attacker-controlled prompts, the creation or use of bot sessions, and unauthorized access to downstream tools, integrations, secrets, or data accessible to the bot. **Recommendations** Update OpenViking to commit c7bb167 or a newer version. Ensure the `api key` configuration value is properly set and not left empty.