CVE Vulnerabilities - 3 April 2026

Some Electron apps on macOS can be tricked into running malicious AppleScript code if the user agrees to move the app to the Applications folder. This is a risk if your Electron app uses the `app.move...

An attacker can manipulate the password reset process by controlling the Host header in Shynet, potentially leading to account takeover. Users of Shynet versions prior to 0.14.0 should update to the l...

OpenClaw's diffs viewer can incorrectly identify some remote requests as coming from the same machine, even when it shouldn't. This could allow unauthorized access to certain features. Update OpenClaw...

The Telegram app's OpenClaw package, used in some versions of the app, allows malicious users to trick accounts into trusting them without verifying their identity. This means a user could pretend to ...

The OpenClaw software has a flaw that allows an attacker to bypass the limit on how many times a device can try to log in to a shared account. This could be a problem for companies that use weak passw...

A security issue in Roundcube Webmail can allow an attacker to inject malicious code into a user's browser if they preview a specific type of email attachment. This could potentially lead to unauthori...

The OpenClaw software is not properly cleaning up environment variables that could be used by malicious code to execute on your system. This means a hacker could potentially take control of your syste...

A security issue in OpenClaw allows unauthorized access to media downloads if an attacker redirects a user to a malicious website. This can happen if the user has previously logged in to OpenClaw and ...

A malicious service worker can trick Electron apps into accepting fake data by manipulating the results of executeJavaScript(). To fix this, developers should not rely on executeJavaScript() for secur...

Some Electron apps that handle custom protocols or modify web request headers may be vulnerable to malicious header injection. This can allow an attacker to manipulate cookies, content security polici...

If you use Electron to create apps that allow users to download files, be aware that closing a session while a download dialog is open can crash your app. To fix this, avoid closing a session while a ...

If a hacker sends a malicious email to a user, it could potentially allow them to access internal network resources or extract sensitive information. This is because the webmail software doesn't prope...

A security issue in Electron's permission system could allow malicious content within an iframe to gain access to browser features like screen control, keyboard control, and external links. To fix thi...

Shynet's template filters can be tricked into executing malicious code on users' browsers. This means attackers can steal sensitive information or take control of users' accounts. Update to version 0....

If you use Roundcube Webmail, an attacker may be able to bypass the image blocking feature and potentially access sensitive information or compromise security settings. This is possible if you receive...

Some versions of Roundcube Webmail don't properly filter out malicious code in emails. This could allow an attacker to bypass security features and potentially harm your users. Update to the latest ve...

Attackers can use specially crafted SVG images in emails to bypass Roundcube Webmail's image blocking feature, potentially allowing them to disclose sensitive information or bypass security controls. ...

A security issue in Roundcube Webmail allows hackers to secretly load images from the internet into emails, potentially revealing sensitive information or allowing unauthorized access. This affects ve...

An attacker can exploit a weakness in the way DOMPurify handles attribute checks to inject malicious code into web pages. This could allow an attacker to execute code on your website if users click on...

DOMPurify, a library that cleans up user input, has a security issue that can allow hackers to inject malicious code into a website. This happens when a specific setting is enabled, allowing an attack...

If you're running D-Tale publicly and use a redis or shelf storage layer, attackers could potentially take control of your server. This is a serious threat, so it's essential to update to the latest v...

A bug in the OpenClaw library for Discord integration can mistakenly identify group messages as direct messages. This could lead to unintended access or confusion. Update to version 2026.3.31 or later...

Some authorized Discord users can bypass channel restrictions on group direct messages when using Discord slash commands. This issue affects the OpenClaw package and can be fixed by updating to versio...

A security issue in OpenClaw's Discord voice manager allows unauthorized users to join voice channels even if they're not on an approved access list. This could let unwanted users listen in on sensiti...

OpenClaw, a library used by many applications, has a security flaw that allows hackers to read any file on a computer. This could expose sensitive information. To fix this, update OpenClaw to version ...