News & Sicurezza

CVE ID :CVE-2026-34202 Published : March 31, 2026, 3:16 p.m. | 38 minutes ago Description :ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation. This issue has been patched in zebrad version 4.3.0 and zebra-chain version 6.0.1. Severity: 9.2 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-34162 Published : March 31, 2026, 3:16 p.m. | 38 minutes ago Description :FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy — it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, and body, then makes a server-side HTTP request and returns the complete response to the caller. This issue has been patched in version 4.14.9.5. Severity: 10.0 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.

CVE ID :CVE-2026-33762 Published : March 31, 2026, 3:16 p.m. | 38 minutes ago Description :go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1. Severity: 2.8 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-33581 Published : March 31, 2026, 3:16 p.m. | 38 minutes ago Description :OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory. Severity: 7.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.

OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.

OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level.

OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.

CVE ID :CVE-2026-33276 Published : March 31, 2026, 3:16 p.m. | 38 minutes ago Description :Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature. Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Micropatches released for Windows Storage Elevation of Privilege Vulnerability (CVE-2026-21508) February 2026 Windows Updates brought a patch for CVE-2026-21508, a local privilege escalation vulnerability in Windows Storage component allowing a low-privileged local user to run arbitrary code as ... Read more Published Date: Mar 31, 2026 (1 day, 12 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-21508

Critical Vulnerability in Perl Core Modules Leaves Systems Exposed A high-severity security flaw has been identified within the core of the Perl programming language. Designated as CVE-2026-4176, the vulnerability carries a CVSS score of 9.8, highlighting a critical ... Read more Published Date: Mar 31, 2026 (1 day, 12 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-33026 CVE-2026-33032 CVE-2026-4176 CVE-2026-3055 CVE-2026-3381 CVE-2026-27171 CVE-2026-21962