Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 13 March 2026

RSS

98 vulnerabilities published on 13 March 2026

Severity:
Zalo Webhook Secret Guessing Made Easier in OpenClaw
GHSA-5m9r-p9g7-679c
### Summary The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret retur...
6.9
OpenClaw: Malicious executables may be allowed due to incorrect path matching
GHSA-f8r2-vg7x-gh8m
### Summary `matchesExecAllowlistPattern` normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In additi...
6.9
Feishu Reaction Events Can Bypass Group Chat Security
GHSA-m69h-jm2f-2pv8
### Summary A Feishu reaction-originated synthetic event could misclassify a group conversation as `p2p` when the inbound reaction payload omitted `c...
6.9
OpenClaw: Shared Gateway Credentials Exposed in Setup Codes
GHSA-7h7g-x2px-94hj
### Summary OpenClaw pairing setup codes generated by `/pair` and `openclaw qr` embedded the configured shared gateway token or password directly in ...
6.9
OneUptime: Password Reset Tokens Logged in Application Logs
GHSA-4524-cj9j-g4fj CVE-2026-32598
### Summary The password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled...
6.9
Parse Server GraphQL WebSocket endpoint security risk
GHSA-p2x3-8689-cwpg CVE-2026-32594
### Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests...
6.9
SFTPGo: Malicious usernames can access unintended directories
GHSA-m83q-5wr4-4gfp CVE-2026-30915
### Impact SFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or k...
6.9
Consul: Unsecured access to sensitive files via Kubernetes authentication
CVE-2026-2808 GHSA-cpfq-66p2-336j BIT-consul-2026-2808
HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authenti...
6.8
SiYuan's renderSprig allows users to read full workspace database
GHSA-4j3x-hhg2-fm2x CVE-2026-32704
### Summary `POST /api/template/renderSprig` lacks `model.CheckAdminRole`, allowing any authenticated user to execute arbitrary SQL queries against th...
6.5
Undici library can send broken HTTP requests with bad headers
CVE-2026-1525 GHSA-2mjp-6q6p-2qxm
### Impact Undici allows duplicate HTTP `Content-Length` headers when they are provided in an array with case-variant names (e.g., `Content-Length` a...
6.5
Parse Server's OAuth2 Login Fails or Allows Unauthorized Access
CVE-2026-32269 GHSA-69xg-f649-w5g2
### Impact The OAuth2 authentication adapter does not correctly validate app IDs when `appidField` and `appIds` are configured. During app ID validat...
6.3
Gokapi API crashes when sent large requests
GHSA-qwc6-vc2v-2ggj CVE-2026-30955
### Summary An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service...
6.5
OpenClaw: Malicious Channels Can Modify Protected Settings
GHSA-8jhh-jcqg-mj5p
## Summary In affected versions of `openclaw`, channel-initiated config mutations were authorized against the originating account's `configWrites` pol...
6.5
GitLab Has a Denial of Service Vulnerability
CVE-2025-12576 BIT-gitlab-2025-12576
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that under ce...
6.5
OpenClaw allows malicious code to write outside its own folder
GHSA-xvx8-77m6-gwg6
## Summary In affected versions of `openclaw`, the sandbox fs-bridge `writeFile` commit step used an unanchored container path during the final move i...
6.3
OpenClaw: Unauthorized users can reset conversation state
GHSA-jf6w-m8jw-jfxc
## Summary In affected versions of `openclaw`, a gateway caller with `operator.write` could issue `agent` requests containing `/new` or `/reset` and r...
6.1
Undici: Large Responses Can Cause Server to Run Out of Memory
CVE-2026-2581 GHSA-phc3-fgpg-7m6h
## Impact This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici version...
5.9
Statamic: Attacker Can Take Control of Admin Accounts via JavaScript
GHSA-hcch-w73c-jp4m CVE-2026-32612
### Impact Stored XSS in the control panel color mode preference allows authenticated users with control panel access to inject malicious JavaScript ...
5.4
Discord Reaction Hack in OpenClaw
GHSA-9vvh-2768-c8vp
## Summary In affected versions of `openclaw`, Discord reaction ingestion for guild channels did not enforce the same member users and roles allowlist...
5.4
Microsoft file-type: ZIP File Can Cause Unexpected Memory Growth
GHSA-j47w-4g3g-c36v CVE-2026-32630
## Summary A crafted ZIP file can trigger excessive memory growth during type detection in `file-type` when using `fileTypeFromBuffer()`, `fileTypeFr...
5.3
Soroban SDK: Incorrect Field Element Equality Checks
GHSA-x2hw-px52-wp4m CVE-2026-32322
# Security Advisory: Incorrect Equality for Fr Scalar Field Types (BN254, BLS12-381) ## Summary Missing modular reduction in `Fr` causes incorrect e...
5.3
SFTPGo Allows Hackers to Bypass Folder Permissions
GHSA-x8qh-7475-c5mp CVE-2026-30914
### Impact In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem rout...
5.3
GitLab: Attackers can make unintended internal requests
CVE-2026-3848 BIT-gitlab-2026-3848
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could h...
5.0
Undici HTTP Client Allows Malicious Header Injection
CVE-2026-1527 GHSA-4992-7rv2-5pvq
### Impact When an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\r...
4.6
Gokapi File Uploads Can Bypass Size Limits
GHSA-45vh-rpc8-hxpp CVE-2026-30961
### Summary The chunked upload completion path for file requests does not validate the total file size against the per-request `MaxSize` limit. An at...
4.3
12 Mar 2026 All days 14 Mar 2026