Yueyuel

**Name of the Vulnerable Software and Affected Versions** form-data versions prior to 2.5.6 form-data versions prior to 3.0.5 form-data versions prior to 4.0.6 **Description** The `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. This allows an attacker to perform CRLF injection (Carriage Return Line Feed injection), which is the process of inserting special characters to manipulate the structure of an HTTP header. If an application uses untrusted input as a field name or filename, an attacker can terminate the header line to inject additional headers or smuggle entire multipart parts into the request forwarded to a backend. This can enable the attacker to add or override form fields, such as setting `is admin=true`, as seen by the downstream parser. **Recommendations** Update to version 2.5.6. Update to version 3.0.5. Update to version 4.0.6.

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.227.1 **Description** Zed builds SSH/WSL remote commands as a shell command string starting with exec env ..., where environment variable keys are inserted without shell quoting or validation. An attacker who can control an environment variable key, such as through project terminal settings, can trigger shell expansions (e.g., $(...)) that are evaluated by the remote shell when a terminal is opened. This allows for arbitrary command execution on the remote host under the victim user's account. **Recommendations** Update to version 0.227.1.

Name of the Vulnerable Software and Affected Versions LTI JupyterHub Authenticator versions prior to 1.6.3 Description The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, allowing an attacker with a valid consumer key to send repeated requests with unique nonces, gradually exhausting server memory and causing a denial of service. Recommendations Upgrade to version 1.6.3 or later.

**Name of the Vulnerable Software and Affected Versions** pyLoad versions 0.4.20 through 0.5.0b3.dev96 **Description** pyLoad, a download manager written in Python, contains a flaw in its ClickNLoad feature. The `local check` decorator can be circumvented through HTTP Host header spoofing. This allows unauthenticated remote attackers to access endpoints restricted to localhost. Successful exploitation enables attackers to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code. **Recommendations** Update to version 0.5.0b3.dev97 or later.

**Name of the Vulnerable Software and Affected Versions** Tina versions prior to 2.1.7 @tinacms/cli versions prior to 2.0.5 **Description** Tina is a headless content management system. A path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at `media.ts` joins user-controlled path segments using `path.join()` without validating that the resulting path remains within the intended media directory. This allows writing files to arbitrary locations on the filesystem. The vulnerability is present in the `handlePost`, `handleDelete`, `handleList`, `MediaModel.listMedia`, and `MediaModel.deleteMedia` functions. Similar code also exists in the Express version. The vulnerability could potentially lead to remote code execution, denial of service, or information disclosure. The vulnerable code is located in `packages/@tinacms/cli/src/next/commands/dev-command/server/media.ts` lines 42-43. The `path.join()` function resolves `..` segments in the path, and when the user-supplied path contains traversal sequences, these are resolved relative to the media folder, allowing escape to arbitrary filesystem locations. **Recommendations** Versions prior to 2.1.7: Add path validation to ensure the resolved path stays within the media directory. Versions prior to 2.0.5: Add path validation to ensure the resolved path stays within the media directory. Consider creating a validation helper function to ensure consistent path validation across all affected functions and endpoints. Apply the fix to the `handleDelete` function, `handleList` function, `MediaModel.listMedia` method, `MediaModel.deleteMedia` method, and the Express router in `packages/@tinacms/cli/src/server/`.

**Flowise and Affected Versions** Flowise versions prior to 3.0.13 **Description** Flowise is a drag & drop user interface to build a customized large language model flow. A mass assignment issue exists in the `/api/v1/leads` endpoint, allowing unauthenticated users to control internal entity fields (`id`, `createdDate`, `chatId`) by including them in the request body. The endpoint uses `Object.assign()` to copy all properties from the request body to the Lead entity without input validation or field filtering. This allows attackers to bypass auto-generated fields and inject arbitrary values. The vulnerability exists in `/packages/server/src/services/leads/index.ts` at lines 27-28. The Lead entity definition at `/packages/server/src/database/entities/Lead.ts` uses TypeORM decorators that should auto-generate these fields, but `Object.assign()` overwrites these fields before they are saved. The `/api/v1/leads` endpoint is publicly accessible due to its inclusion in a whitelist in `/packages/server/src/utils/constants.ts`. Attack scenarios include ID collision attacks, audit trail manipulation, data integrity violations, and chatflow association manipulation. **Recommendations** Versions prior to 3.0.13: Implement a fix to whitelist allowed fields during object assignment, only copying explicitly permitted fields from the request body. Alternatively, use destructuring with explicit fields or utilize class-transformer with `@Exclude()` decorators to prevent assignment of sensitive fields from the request. Consider applying the same fix to other endpoints that use `Object.assign()` with request bodies, such as `/packages/server/src/utils/addChatMessageFeedback.ts`.

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.224.4 **Description** A Zip Slip (Path Traversal) issue exists in the extension archive extraction functionality. The `extract zip()` function, located in `crates/util/src/archive.rs`, does not validate ZIP entry filenames for path traversal sequences, such as `../`. This allows a malicious extension to write files outside of its designated sandbox directory by downloading and extracting a crafted ZIP archive. **Recommendations** Update to version 0.224.4 or later.

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.225.9 **Description** A symlink escape issue exists in Zed, a code editor, within the Agent file tools (`read file`, `edit file`). This allows reading and writing files outside the project directory when the project contains symbolic links pointing to external paths. This bypasses workspace boundaries and privacy protections (`file scan exclusions`, `private files`), potentially exposing sensitive user data to the LLM. The issue allows bypassing the intended workspace boundary and privacy protections. **Recommendations** Update to version 0.225.9 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.14 **Description** The SSRF protection in OpenClaw could be bypassed using full-form IPv4-mapped IPv6 literals, such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This bypass allows requests that should be blocked, including those to loopback, private networks, and link-local metadata, to pass the SSRF guard. The vulnerable component is the SSRF guard (`src/infra/net/ssrf.ts`). The issue is an SSRF protection bypass. **Recommendations** Update OpenClaw to version 2026.2.14 or later.

**Name of the Vulnerable Software and Affected Versions** Indico versions prior to 3.3.10 **Description** Indico, an event management system, is susceptible to server-side request forgery (SSRF). The system makes outgoing requests to URLs provided by users. While this functionality is intentional, it could allow access to sensitive targets like localhost or cloud metadata endpoints. The risk is limited to event organizers who can access endpoints where SSRF could be used to view returned data. Users hosted on AWS without authentication for sensitive data are less affected. **Recommendations** Versions prior to 3.3.10 should be upgraded to version 3.3.10. As a preventative measure, set the `http proxy` and `https proxy` environment variables on both the indico-uwsgi and indico-celery services to force outgoing requests through a limiting proxy.

**Name of the Vulnerable Software and Affected Versions** openclaw versions prior to 2026.2.1 **Description** In Telegram webhook mode, if `channels.telegram.webhookSecret` is not set, the software may accept webhook HTTP requests without verifying Telegram’s secret token header. This can allow forged Telegram updates, such as spoofing `message.from.id`, if the webhook endpoint is reachable by an attacker. Telegram webhook mode is not enabled by default and requires configuration of `channels.telegram.webhookUrl`. An attacker who can reach the webhook endpoint may be able to send forged updates that are processed as if they came from Telegram, potentially leading to unintended bot actions. The vulnerable component is the webhook functionality. **Recommendations** versions prior to 2026.2.1: Set a strong `channels.telegram.webhookSecret` and ensure your reverse proxy forwards the `X-Telegram-Bot-Api-Secret-Token` header unchanged. versions prior to 2026.2.1: Restrict network access to the webhook endpoint. versions prior to 2026.2.1: As a temporary workaround, consider disabling Telegram webhook mode by not configuring `channels.telegram.webhookUrl`.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.2 **Description** The software contains an authorization bypass issue where clients with `operator.write` scope can approve or deny exec approval requests by sending the `/approve` chat command. The `/approve` command path invokes `exec.approval.resolve` through an internal privileged gateway client, bypassing the `operator.approvals` permission check that protects direct RPC calls. This is particularly relevant in shared or multi-client setups where tokens are intentionally scoped differently. The vulnerable function is `exec.approval.resolve`. The API endpoint used is `/approve`. **Recommendations** Upgrade to OpenClaw version 2026.2.2 or later. If an upgrade is not possible, avoid issuing write-only device tokens to untrusted clients. If an upgrade is not possible, disable text commands (`commands.text=false`). If an upgrade is not possible, restrict access to the webchat or control UI.

**Name of the Vulnerable Software and Affected Versions** Qwik versions prior to 1.19.0 **Description** Qwik is a performance focused javascript framework. A prototype pollution issue exists in the `formToObj()` function within the @builder.io/qwik-city middleware. The function processes form field names using dot notation, but does not sanitize dangerous property names like ` proto `, `constructor`, and `prototype`. This allows unauthenticated attackers to pollute `Object.prototype` by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. **Recommendations** Update to version 1.19.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.2.1 **Description** The software contains an information disclosure issue in the MS Teams attachment downloader (optional extension must be enabled). When retrying downloads after receiving 401 or 403 responses, the application sends `Authorization` bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, potentially leading to token theft. The default download allowlist uses suffix matching, and a message referencing an untrusted but allowlisted host could cause the bearer token to be sent to the incorrect location. **Recommendations** Upgrade to OpenClaw version 2026.2.1 or later. If the MS Teams extension is not needed, disable it. If upgrading is not possible, ensure the auth host allowlist is strict, including only Microsoft-owned endpoints that require authentication, and avoid wildcard or broad suffix entries.

**Name of the Vulnerable Software and Affected Versions** OctoPrint versions up to and including 1.11.5 **Description** OctoPrint, a web interface for controlling 3D printers, is affected by a timing attack that could allow an attacker with network access to extract API keys. The issue stems from the use of character-based comparison during API key validation, which short-circuits on the first mismatched character. This results in a non-constant runtime, potentially revealing information about the key through response time measurements. The likelihood of successful exploitation is dependent on network conditions such as latency and noise. A proof of concept has not been achieved, but the potential for API key extraction exists. The API key validation process is vulnerable to timing attacks. The `denied access responses` are used to guess API key characters. **Recommendations** Versions prior to 1.11.6 should be updated to version 1.11.6 or later.

**Name of the Vulnerable Software and Affected Versions** Werkzeug versions prior to 3.1.5 **Description** Werkzeug’s `safe join` function improperly handles path segments containing Windows device names with file extensions or trailing spaces. Windows device names, such as CON and AUX, are implicitly present and readable in every directory and are accepted with file extensions (e.g., CON.txt) or trailing spaces (e.g., CON ). This can lead to unauthorized access or manipulation of system resources. **Recommendations** Update Werkzeug to version 3.1.5 or later.

**Name of the Vulnerable Software and Affected Versions** MONAI versions up to and including 1.5.1 **Description** MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. A Path Traversal (Zip Slip) issue exists in the ` download from ngc private()` function. This function utilizes `zipfile.ZipFile.extractall()` without validating file paths. Other similar download functions within the same codebase correctly employ the `safe extract member()` function for secure extraction. A Path Traversal condition occurs when an application allows a user to access files or directories outside of the intended root directory. In the context of zip files, a 'Zip Slip' happens when a maliciously crafted zip archive contains filenames with special characters (like '..') that, when extracted, can write files to arbitrary locations on the file system. The function `zipfile.ZipFile.extractall()` is used to extract all files from a zip archive. **Recommendations** Versions prior to and including 1.5.1 should be updated to a version that includes commit 4014c8475626f20f158921ae0cf98ed259ae4d59.

**Name of the Vulnerable Software and Affected Versions** LMDeploy versions prior to 0.11.1 **Description** LMDeploy is a toolkit used for compressing, deploying, and serving LLMs. A flaw exists where the `torch.load()` function is called without the `weights only=True` parameter when loading model checkpoint files. This insecure deserialization allows an attacker to execute arbitrary code on a system by loading a malicious `.bin` or `.pt` model file. The `torch.load()` function is used to load serialized objects, and without the `weights only=True` parameter, it can deserialize arbitrary Python objects, leading to code execution. **Recommendations** LMDeploy versions prior to 0.11.1 are vulnerable and should be updated to version 0.11.1 or later.

**Name of the Vulnerable Software and Affected Versions** Local Deep Research versions 1.3.0 through 1.3.8 **Description** The software is an AI-powered research assistant. A flaw exists in the download service (`download service.py`) where HTTP requests are made using raw `requests.get()` calls, bypassing the application’s Server-Side Request Forgery (SSRF) protection (`safe requests.py`). This allows attackers to potentially access internal services and cloud provider metadata endpoints (AWS/GCP/Azure), and conduct internal network reconnaissance by submitting malicious URLs through the API. The API is susceptible to malicious URLs. **Recommendations** Update to version 1.3.9 or later.

**Name of the Vulnerable Software and Affected Versions** Fedify versions prior to 1.6.13 Fedify versions prior to 1.7.14 Fedify versions prior to 1.8.15 Fedify versions prior to 1.9.2 **Description** Fedify is a TypeScript library used for building federated server applications based on ActivityPub. A Regular Expression Denial of Service (ReDoS) issue exists in the document loader component. The HTML parsing regular expression located at `packages/fedify/src/runtime/docloader.ts:259` includes nested quantifiers that can lead to catastrophic backtracking when processing specially crafted HTML responses. This can cause a denial of service. **Recommendations** Update to Fedify version 1.6.13 or later. Update to Fedify version 1.7.14 or later. Update to Fedify version 1.8.15 or later. Update to Fedify version 1.9.2 or later.