Oleh Konko

**Name of the Vulnerable Software and Affected Versions** 389-ds-base (affected versions not specified) **Description** A flaw exists in the LDAP server where the `get ldapmessage controls ext()` function fails to enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER (Basic Encoding Rules) message size of 2 MB. This causes excessive CPU consumption and heap allocation. Concurrent exploitation can lead to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gnutls versions prior to 3.8.13-1.1 **Description** No detailed information was provided regarding the nature of the security issues fixed in this package. **Recommendations** Update to version 3.8.13-1.1.

**Name of the Vulnerable Software and Affected Versions** HashiCorp Vault Community Edition versions prior to 2.0.0 HashiCorp Vault Enterprise versions prior to 1.19.16 HashiCorp Vault Enterprise versions 1.19.16 through 1.20.9 HashiCorp Vault Enterprise versions 1.20.10 through 1.21.4 HashiCorp Vault Enterprise versions prior to 1.21.5 HashiCorp Vault Enterprise versions prior to 2.0.0 **Description** The PKI engine ACME validation fails to reject local targets during the issuance of 'http-01' and 'tls-alpn-01' challenges. This flaw may result in requests being directed to targets within the local network, which could lead to information disclosure. **Recommendations** Update HashiCorp Vault Community Edition to version 2.0.0. Update HashiCorp Vault Enterprise to version 1.19.16, 1.20.10, 1.21.5, or 2.0.0.

**Name of the Vulnerable Software and Affected Versions** HashiCorp Vault versions prior to 2.0.0 HashiCorp Vault versions prior to 1.21.5 HashiCorp Vault versions prior to 1.20.10 HashiCorp Vault versions prior to 1.19.16 **Description** When a Vault auth mount is configured to pass through the 'Authorization' header and that same header is used for authentication to Vault, the system forwards the Vault token to the auth plugin backend, leading to token disclosure. **Recommendations** Update to version 2.0.0 Update to version 1.21.5 Update to version 1.20.10 Update to version 1.19.16

**Name of the Vulnerable Software and Affected Versions** Apache APISIX versions 2.99.0 through 3.15.0 **Description** The tencent-cloud-cls log export feature transmits sensitive information using plaintext HTTP, which allows the data to be sent without encryption. **Recommendations** Upgrade to version 3.16.0.

**Name of the Vulnerable Software and Affected Versions** Apache APISIX versions 0.7 through 3.15.0 **Description** Sensitive information may be transmitted in cleartext because the `ssl verify` variable in the openid-connect plugin configuration is set to false by default. **Recommendations** Upgrade to version 3.16.0.

**Name of the Vulnerable Software and Affected Versions** aws-c-event-stream versions prior to 0.6.0 **Description** A flaw exists in the streaming decoder component of aws-c-event-stream that could allow a third party operating a server to cause memory corruption, potentially leading to arbitrary code execution on a client application that processes specially crafted event-stream messages. **Recommendations** Upgrade to version 0.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** wolfSSL versions 5.8.4 and earlier **Description** An out-of-bounds read issue exists in the ALPN (Application-Layer Protocol Negotiation) parsing functionality when ALPN is enabled. This occurs due to incomplete validation of the ALPN protocol list. A specially crafted ALPN protocol list can trigger this issue, potentially leading to a denial of service through a process crash. ALPN is disabled by default but is enabled when using certain compatibility features, including those for Apachehttpd, Bind, cURL, HAProxy, Hitch, Lighty, JNI, Nginx, and QUIC. **Recommendations** wolfSSL versions prior to 5.8.4 should be updated.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw exists in Keycloak’s Security Assertion Markup Language (SAML) broker endpoint. The endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. The vulnerable component is the SAML broker endpoint, which processes SAML responses. The attack involves crafting a malicious SAML response and injecting an encrypted assertion for an arbitrary principal. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** The software contains a path traversal issue in sandbox skill mirroring when the skill frontmatter `name` parameter is used without proper sanitization during skill copying into the sandbox workspace. An attacker can provide a specially crafted skill package with traversal sequences, such as '../' or absolute paths, within the `name` field to write files outside the designated sandbox workspace root directory. This could allow writing files within the permissions of the user running OpenClaw. The issue requires the attacker to provide a skill package and the victim to have sandbox mode enabled with skill mirroring active. **Recommendations** Update to version 2026.2.14 or later.

**Name of the Vulnerable Software and Affected Versions** gnutls (affected versions not specified) **Description** A flaw exists where case-sensitive comparisons are performed on `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can craft a leaf certificate with casing differences in the Subject Alternative Name (SAN) to bypass policies, causing a certificate that should be rejected to be accepted. This may lead to unauthorized access or information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.