Mrthankyou

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.15 **Description** The software contains an option injection flaw in the git-hooks/pre-commit hook. This allows attackers to stage files that are normally ignored by creating files that begin with dashes. The hook does not properly separate filenames when using `xargs` with `git add`, which enables attackers to inject `git` flags and add sensitive ignored files, such as `.env` files, to the git history. **Recommendations** Update to version 2026.2.15 or later.

**Name of the Vulnerable Software and Affected Versions** Origin Protocol (affected versions not specified) **Description** The Origin Protocol project website is susceptible to malicious Javascript injection via a POST request to "/presale/join". User-controlled data is passed without sanitization to SendGrid and injected into an email delivered to the founders@originprotocol.com. If the email recipient's program is vulnerable to XSS, they may receive an email with malicious XSS. Regardless, the hacker can inject malicious HTML that modifies the email's body content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dependabot-Core versions 0.119.0.beta1 through 0.125.1 **Description** There is a remote code execution issue in `dependabot-common` and `dependabot-go modules` when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the source branch name: "/$({curl,127.0.0.1})", Dependabot will make a HTTP request to the URL: 127.0.0.1 when cloning the source repository. This occurs because Dependabot runs a shell command to git clone the repository, and the `FileFetcher` class from `dependabot-common` can be used to clone the repository for other package managers. **Recommendations** For Dependabot-Core versions 0.119.0.beta1 through 0.125.1, update to version 0.125.1 to resolve the issue. As a temporary workaround, escape the branch name prior to passing it to the `Dependabot::Source` class, for example using `shellwords` to escape the branch name.