Skip to content

Commit 89feba0

Browse files
1 parent 85b0263 commit 89feba0

9 files changed

Lines changed: 259 additions & 70 deletions

File tree

advisories/github-reviewed/2026/04/GHSA-r77c-2cmr-7p47/GHSA-r77c-2cmr-7p47.json

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-r77c-2cmr-7p47",
4-
"modified": "2026-04-17T21:50:55Z",
4+
"modified": "2026-05-12T16:18:11Z",
55
"published": "2026-04-17T21:50:55Z",
6-
"aliases": [],
6+
"aliases": [
7+
"CVE-2026-43583"
8+
],
79
"summary": "OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay",
810
"details": "## Summary\n\nDelivery queue recovery could lose group tool-policy context for media replay.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `>= 2026.4.10 < 2026.4.14`\n- Patched versions: `>= 2026.4.14`\n\n## Impact\n\nRecovered queued outbound media could be replayed without the original session context needed to enforce group tool policy, weakening channel media restrictions after restart/recovery.\n\n## Technical Details\n\nThe fix persists and replays the relevant session context with delivery queue entries so recovered media dispatch goes through the same policy checks.\n\n## Fix\n\nThe issue was fixed in #66025. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `48aae82bbc19ba8b0741e61a08063eb0d1df464e`\n- PR: #66025\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.",
911
"severity": [
@@ -38,6 +40,10 @@
3840
"type": "WEB",
3941
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r77c-2cmr-7p47"
4042
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43583"
46+
},
4147
{
4248
"type": "WEB",
4349
"url": "https://github.com/openclaw/openclaw/pull/66025"
@@ -49,6 +55,10 @@
4955
{
5056
"type": "PACKAGE",
5157
"url": "https://github.com/openclaw/openclaw"
58+
},
59+
{
60+
"type": "WEB",
61+
"url": "https://www.vulncheck.com/advisories/openclaw-loss-of-group-tool-policy-context-in-delivery-queue-recovery"
5262
}
5363
],
5464
"database_specific": {

advisories/unreviewed/2026/05/GHSA-2xx6-qf7x-grqh/GHSA-2xx6-qf7x-grqh.json renamed to advisories/github-reviewed/2026/05/GHSA-2xx6-qf7x-grqh/GHSA-2xx6-qf7x-grqh.json

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,30 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2xx6-qf7x-grqh",
4-
"modified": "2026-05-09T00:31:52Z",
4+
"modified": "2026-05-12T16:19:02Z",
55
"published": "2026-05-07T15:38:41Z",
66
"aliases": [
77
"CVE-2025-63706"
88
],
9+
"summary": "next-npm-version is vulnerable to Command injection",
910
"details": "NPM package next-npm-version1.0.1 is vulnerable to Command injection.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@jswork/next-npm-version"
22+
},
23+
"versions": [
24+
"1.0.1"
25+
]
26+
}
27+
],
1728
"references": [
1829
{
1930
"type": "ADVISORY",
@@ -27,6 +38,10 @@
2738
"type": "WEB",
2839
"url": "https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72"
2940
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/afeiship/next-npm-version"
44+
},
3045
{
3146
"type": "WEB",
3247
"url": "https://www.npmjs.com/package/@jswork/next-npm-version"
@@ -37,8 +52,8 @@
3752
"CWE-94"
3853
],
3954
"severity": "CRITICAL",
40-
"github_reviewed": false,
41-
"github_reviewed_at": null,
55+
"github_reviewed": true,
56+
"github_reviewed_at": "2026-05-12T16:19:02Z",
4257
"nvd_published_at": "2026-05-07T15:16:04Z"
4358
}
4459
}

advisories/unreviewed/2026/05/GHSA-587p-w43q-4hjx/GHSA-587p-w43q-4hjx.json renamed to advisories/github-reviewed/2026/05/GHSA-587p-w43q-4hjx/GHSA-587p-w43q-4hjx.json

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,30 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-587p-w43q-4hjx",
4-
"modified": "2026-05-09T00:31:52Z",
4+
"modified": "2026-05-12T16:19:25Z",
55
"published": "2026-05-07T18:30:40Z",
66
"aliases": [
77
"CVE-2025-63704"
88
],
9+
"summary": "query-parser-string is vulnerable to Prototype Pollution",
910
"details": "NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "query-string-parser"
22+
},
23+
"versions": [
24+
"1.0.0"
25+
]
26+
}
27+
],
1728
"references": [
1829
{
1930
"type": "ADVISORY",
@@ -27,6 +38,10 @@
2738
"type": "WEB",
2839
"url": "https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b"
2940
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/victorteokw/query-string-parser"
44+
},
3045
{
3146
"type": "WEB",
3247
"url": "https://www.npmjs.com/package/query-string-parser?activeTab=readme"
@@ -37,8 +52,8 @@
3752
"CWE-1321"
3853
],
3954
"severity": "CRITICAL",
40-
"github_reviewed": false,
41-
"github_reviewed_at": null,
55+
"github_reviewed": true,
56+
"github_reviewed_at": "2026-05-12T16:19:25Z",
4257
"nvd_published_at": "2026-05-07T16:16:17Z"
4358
}
4459
}
Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-82rm-qcfx-2v78",
4+
"modified": "2026-05-12T16:18:04Z",
5+
"published": "2026-05-06T21:31:42Z",
6+
"withdrawn": "2026-05-12T16:18:04Z",
7+
"aliases": [],
8+
"summary": "Duplicate Advisory: OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay",
9+
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-r77c-2cmr-7p47. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [
21+
{
22+
"package": {
23+
"ecosystem": "npm",
24+
"name": "openclaw"
25+
},
26+
"ranges": [
27+
{
28+
"type": "ECOSYSTEM",
29+
"events": [
30+
{
31+
"introduced": "2026.4.10"
32+
},
33+
{
34+
"fixed": "2026.4.14"
35+
}
36+
]
37+
}
38+
]
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r77c-2cmr-7p47"
45+
},
46+
{
47+
"type": "ADVISORY",
48+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43583"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/openclaw/openclaw/commit/48aae82bbc19ba8b0741e61a08063eb0d1df464e"
53+
},
54+
{
55+
"type": "PACKAGE",
56+
"url": "https://github.com/openclaw/openclaw"
57+
},
58+
{
59+
"type": "WEB",
60+
"url": "https://www.vulncheck.com/advisories/openclaw-loss-of-group-tool-policy-context-in-delivery-queue-recovery"
61+
}
62+
],
63+
"database_specific": {
64+
"cwe_ids": [
65+
"CWE-862"
66+
],
67+
"severity": "MODERATE",
68+
"github_reviewed": true,
69+
"github_reviewed_at": "2026-05-12T16:18:04Z",
70+
"nvd_published_at": "2026-05-06T20:16:34Z"
71+
}
72+
}

advisories/unreviewed/2026/05/GHSA-8jh2-3mw6-6pfm/GHSA-8jh2-3mw6-6pfm.json renamed to advisories/github-reviewed/2026/05/GHSA-8jh2-3mw6-6pfm/GHSA-8jh2-3mw6-6pfm.json

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,30 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-8jh2-3mw6-6pfm",
4-
"modified": "2026-05-08T18:31:28Z",
4+
"modified": "2026-05-12T16:18:56Z",
55
"published": "2026-05-07T15:38:41Z",
66
"aliases": [
77
"CVE-2025-63705"
88
],
9+
"summary": "node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js",
910
"details": "NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "node-ts-ocr"
22+
},
23+
"versions": [
24+
"1.0.15"
25+
]
26+
}
27+
],
1728
"references": [
1829
{
1930
"type": "ADVISORY",
@@ -23,6 +34,10 @@
2334
"type": "WEB",
2435
"url": "https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cfbb9a4a"
2536
},
37+
{
38+
"type": "PACKAGE",
39+
"url": "https://github.com/nicolaspearson/node.ts.ocr"
40+
},
2641
{
2742
"type": "WEB",
2843
"url": "https://www.npmjs.com/package/node-ts-ocr"
@@ -33,8 +48,8 @@
3348
"CWE-78"
3449
],
3550
"severity": "HIGH",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
51+
"github_reviewed": true,
52+
"github_reviewed_at": "2026-05-12T16:18:56Z",
3853
"nvd_published_at": "2026-05-07T15:16:04Z"
3954
}
4055
}

advisories/github-reviewed/2026/05/GHSA-m77w-p5jj-xmhg/GHSA-m77w-p5jj-xmhg.json

Lines changed: 66 additions & 0 deletions
Large diffs are not rendered by default.

advisories/unreviewed/2026/05/GHSA-x72j-hv9f-qqh4/GHSA-x72j-hv9f-qqh4.json renamed to advisories/github-reviewed/2026/05/GHSA-x72j-hv9f-qqh4/GHSA-x72j-hv9f-qqh4.json

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,30 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-x72j-hv9f-qqh4",
4-
"modified": "2026-05-09T00:31:52Z",
4+
"modified": "2026-05-12T16:18:45Z",
55
"published": "2026-05-07T18:30:39Z",
66
"aliases": [
77
"CVE-2025-63703"
88
],
9+
"summary": "parse-ini is vulnerable to Prototype Pollution in index.js()",
910
"details": "npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js().",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "parse-ini"
22+
},
23+
"versions": [
24+
"1.0.6"
25+
]
26+
}
27+
],
1728
"references": [
1829
{
1930
"type": "ADVISORY",
@@ -33,8 +44,8 @@
3344
"CWE-1321"
3445
],
3546
"severity": "CRITICAL",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
47+
"github_reviewed": true,
48+
"github_reviewed_at": "2026-05-12T16:18:45Z",
3849
"nvd_published_at": "2026-05-07T16:16:17Z"
3950
}
4051
}

advisories/unreviewed/2026/05/GHSA-xv9c-mjw8-79gf/GHSA-xv9c-mjw8-79gf.json renamed to advisories/github-reviewed/2026/05/GHSA-xv9c-mjw8-79gf/GHSA-xv9c-mjw8-79gf.json

Lines changed: 37 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-xv9c-mjw8-79gf",
4-
"modified": "2026-05-09T00:31:52Z",
4+
"modified": "2026-05-12T16:19:17Z",
55
"published": "2026-05-07T15:38:41Z",
66
"aliases": [
77
"CVE-2025-67202"
88
],
9+
"summary": "Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL",
910
"details": "Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "RubyGems",
21+
"name": "sidekiq-cron"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.4.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -23,6 +44,18 @@
2344
"type": "WEB",
2445
"url": "https://github.com/sidekiq-cron/sidekiq-cron/issues/569"
2546
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/sidekiq-cron/sidekiq-cron/pull/568"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/sidekiq-cron/sidekiq-cron/commit/7b4ae4822f93ef4646f5cb55500ca4e25662db7c"
54+
},
55+
{
56+
"type": "PACKAGE",
57+
"url": "https://github.com/sidekiq-cron/sidekiq-cron"
58+
},
2659
{
2760
"type": "WEB",
2861
"url": "https://github.com/sidekiq-cron/sidekiq-cron/releases/tag/v2.4.0"
@@ -33,8 +66,8 @@
3366
"CWE-79"
3467
],
3568
"severity": "MODERATE",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
69+
"github_reviewed": true,
70+
"github_reviewed_at": "2026-05-12T16:19:17Z",
3871
"nvd_published_at": "2026-05-07T15:16:04Z"
3972
}
4073
}

0 commit comments

Comments
 (0)