News & Sicurezza

OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs and error surfaces.

OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve misleading command text.

OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory.

OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.

OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution.

CVE ID :CVE-2026-27854 Published : March 31, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service. Severity: 4.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-24029 Published : March 31, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-24030 Published : March 31, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-27853 Published : March 31, 2026, 12:16 p.m. | 1 hour, 37 minutes ago Description :An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service. Severity: 5.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Critical CrewAI Vulnerabilities Allow RCE and Sandbox Escapes via Prompt Injection The rapidly growing field of multi-agent AI systems has hit a significant security speed bump. A new vulnerability note from CERT/CC has detailed four distinct security flaws within CrewAI, a popular ... Read more Published Date: Mar 31, 2026 (1 day, 10 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-33026 CVE-2026-33032 CVE-2026-2287 CVE-2026-2286 CVE-2026-2285 CVE-2026-2275 CVE-2026-3055 CVE-2026-2256 CVE-2026-21962

Critical F5 BIG-IP Flaw Upgraded to 9.8 RCE, Exploited in the Wild Cybersecurity researchers at F5 have issued an urgent warning regarding a severe security flaw affecting their BIG-IP APM systems. Originally, the issue was dismissed as a minor technical glitch, but ... Read more Published Date: Mar 31, 2026 (1 day, 3 hours ago) Vulnerabilities has been mentioned in this article. CVE-2025-53521

CVE ID :CVE-2024-14031 Published : March 31, 2026, 11:31 a.m. | 22 minutes ago Description :Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...