CWE-15
AllowedExternal Control of System or Configuration Setting
Abstraction: Base · Status: Incomplete
One or more system settings or configuration elements can be externally controlled by a user.
137 vulnerabilities reference this CWE, most recent first.
GHSA-HJVP-QHM6-WRH2
Vulnerability from github – Published: 2026-03-02 22:40 – Updated: 2026-03-30 13:39Summary
In approval-enabled host=node workflows, system.run approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.
Affected Packages / Versions
- Package: npm
openclaw - Latest published npm version at triage:
2026.2.25 - Affected range:
<= 2026.2.25 - Planned fixed version (next npm release):
2026.2.26
Preconditions / Typical Exposure
This requires all of the following:
- system.run usage through host=node
- Exec approvals enabled and used as an execution-integrity control
- Access to an approval id in the same context
Most default single-operator local setups do not rely on this path, so practical exposure is typically lower.
Details
Approval matching now uses a required versioned binding (systemRunBindingV1) over command argv, cwd, agent/session context, and env hash.
The fix:
- Requires commandArgv when requesting host=node approvals.
- Requires systemRunBindingV1 when consuming approvals for node system.run.
- Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings.
- Keeps env mismatch handling explicit and blocks GIT_EXTERNAL_DIFF in host env policy.
- Adds/updates regression and contract coverage for mismatch mapping and binding rules.
Impact
Configuration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains medium because exploitation depends on this specific approval mode and context.
Fix Commit(s)
10481097f8e6dd0346db9be0b5f27570e1bdfcfa
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.26) so once npm release 2026.2.26 is published, the advisory can be published without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32058"
],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T22:40:15Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nIn approval-enabled `host=node` workflows, `system.run` approvals did not always carry a strict, versioned execution-context binding. In uncommon setups that rely on these approvals as an integrity guardrail, a previously approved request could be reused with changed env input.\n\n### Affected Packages / Versions\n- Package: npm `openclaw`\n- Latest published npm version at triage: `2026.2.25`\n- Affected range: `\u003c= 2026.2.25`\n- Planned fixed version (next npm release): `2026.2.26`\n\n### Preconditions / Typical Exposure\nThis requires all of the following:\n- `system.run` usage through `host=node`\n- Exec approvals enabled and used as an execution-integrity control\n- Access to an approval id in the same context\n\nMost default single-operator local setups do not rely on this path, so practical exposure is typically lower.\n\n### Details\nApproval matching now uses a required versioned binding (`systemRunBindingV1`) over command argv, cwd, agent/session context, and env hash.\n\nThe fix:\n- Requires `commandArgv` when requesting `host=node` approvals.\n- Requires `systemRunBindingV1` when consuming approvals for node `system.run`.\n- Removes legacy non-versioned fallback matching and fails closed on missing/mismatched bindings.\n- Keeps env mismatch handling explicit and blocks `GIT_EXTERNAL_DIFF` in host env policy.\n- Adds/updates regression and contract coverage for mismatch mapping and binding rules.\n\n### Impact\nConfiguration-dependent approval-integrity weakness in node-host exec approval flows. Severity remains `medium` because exploitation depends on this specific approval mode and context.\n\n### Fix Commit(s)\n- `10481097f8e6dd0346db9be0b5f27570e1bdfcfa`\n\n### Release Process Note\n`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm release `2026.2.26` is published, the advisory can be published without further metadata edits.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-hjvp-qhm6-wrh2",
"modified": "2026-03-30T13:39:35Z",
"published": "2026-03-02T22:40:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32058"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows"
}
GHSA-HVX7-JQJG-R7R7
Vulnerability from github – Published: 2026-04-13 09:31 – Updated: 2026-07-07 18:30A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.
{
"affected": [],
"aliases": [
"CVE-2026-0232"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T08:16:20Z",
"severity": "MODERATE"
},
"details": "A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent.\u00a0This issue may be leveraged by malware to perform malicious activity without detection.",
"id": "GHSA-hvx7-jqjg-r7r7",
"modified": "2026-07-07T18:30:26Z",
"published": "2026-04-13T09:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0232"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2026-0232"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-HWQH-2684-54FC
Vulnerability from github – Published: 2026-04-10 09:31 – Updated: 2026-04-14 18:27When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead.
Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally, if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1, which are the current supported open source releases.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.2.0"
]
}
],
"aliases": [
"CVE-2026-22750"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T22:11:21Z",
"nvd_published_at": "2026-04-10T08:16:24Z",
"severity": "HIGH"
},
"details": "When configuring SSL bundles in Spring Cloud Gateway by using the configuration property\u00a0spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead.\n\nNote: The\u00a04.2.x\u00a0branch is no longer under open source support. If you are using Spring Cloud Gateway\u00a04.2.0\u00a0and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway\u00a04.2.x\u00a0release newer than\u00a04.2.0\u00a0available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally, if you are not an enterprise customer, you should be upgrading to\u00a05.0.2\u00a0or\u00a05.1.1,\u00a0which are the current supported open source releases.",
"id": "GHSA-hwqh-2684-54fc",
"modified": "2026-04-14T18:27:12Z",
"published": "2026-04-10T09:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22750"
},
{
"type": "WEB",
"url": "https://github.com/spring-cloud/spring-cloud-gateway/pull/3641"
},
{
"type": "WEB",
"url": "https://github.com/spring-cloud/spring-cloud-gateway/commit/84009f2ee421e2191f8cc32ce3a84e7fc09e305e"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-cloud/spring-cloud-gateway"
},
{
"type": "WEB",
"url": "https://github.com/spring-cloud/spring-cloud-gateway/releases/tag/v4.2.1"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-22750"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Cloud Gateway\u0027s SSL bundle configuration silently bypassed"
}
GHSA-J425-WHC4-4JGC
Vulnerability from github – Published: 2026-03-09 19:52 – Updated: 2026-03-09 19:52Summary
system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as GIT_SSH_COMMAND, editor/pager hooks, and GIT_CONFIG_* / NPM_CONFIG_*.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published vulnerable version:
2026.3.2 - Affected range:
<= 2026.3.2 - Patched in:
2026.3.7
Details
Before the fix, src/infra/host-env-security.ts blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as GIT_SSH_COMMAND and prefix families such as GIT_CONFIG_* and NPM_CONFIG_* could still survive sanitizeSystemRunEnvOverrides(...) / sanitizeHostExecEnv(...) and reach the spawned process.
That mattered for system.run allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as git, this allowed behavior outside the reviewed command semantics.
The fix extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior.
Impact
This is a real protection-bypass issue, but exploitation requires an already tool-enabled caller who can invoke system.run and supply env overrides. In affected deployments, that caller could bypass allowlist/approval intent and trigger helper-command execution or config-loading behavior that is not represented by the approved command line. Maintainer severity is set to medium because the bug still requires that existing execution capability; the vulnerability is the mismatch between reviewed command semantics and the actual spawned-process behavior.
Fix Commit(s)
e27bbe4982439da6864160fd1b66445058f74801
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @tdjackey and @SnailSploit for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T19:52:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n`system.run` env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke `system.run` with `env` overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading environment variables such as `GIT_SSH_COMMAND`, editor/pager hooks, and `GIT_CONFIG_*` / `NPM_CONFIG_*`.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published vulnerable version: `2026.3.2`\n- Affected range: `\u003c= 2026.3.2`\n- Patched in: `2026.3.7`\n\n### Details\nBefore the fix, `src/infra/host-env-security.ts` blocked only a narrow set of override-only environment variables. Dangerous request-scoped overrides such as `GIT_SSH_COMMAND` and prefix families such as `GIT_CONFIG_*` and `NPM_CONFIG_*` could still survive `sanitizeSystemRunEnvOverrides(...)` / `sanitizeHostExecEnv(...)` and reach the spawned process.\n\nThat mattered for `system.run` allowlist and approval flows because approval evaluation was tied to the reviewed binary/argv, while the launched process could still inherit attacker-controlled env overrides that changed helper-command execution or config resolution. For allowlisted tools such as `git`, this allowed behavior outside the reviewed command semantics.\n\nThe fix extends the shared TypeScript and macOS policy to block dangerous override-only exact keys and prefixes while preserving trusted inherited base-environment behavior.\n\n### Impact\nThis is a real protection-bypass issue, but exploitation requires an already tool-enabled caller who can invoke `system.run` and supply `env` overrides. In affected deployments, that caller could bypass allowlist/approval intent and trigger helper-command execution or config-loading behavior that is not represented by the approved command line. Maintainer severity is set to medium because the bug still requires that existing execution capability; the vulnerability is the mismatch between reviewed command semantics and the actual spawned-process behavior.\n\n### Fix Commit(s)\n- `e27bbe4982439da6864160fd1b66445058f74801`\n\n### Release Process Note\nnpm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.\n\nThanks @tdjackey and @SnailSploit for reporting.",
"id": "GHSA-j425-whc4-4jgc",
"modified": "2026-03-09T19:52:59Z",
"published": "2026-03-09T19:52:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j425-whc4-4jgc"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/e27bbe4982439da6864160fd1b66445058f74801"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw\u0027s `system.run` env override filtering allowed dangerous helper-command pivots"
}
GHSA-J5VP-Q6VG-25MF
Vulnerability from github – Published: 2025-03-10 09:31 – Updated: 2025-03-12 12:30An improper input validation in GE Vernova UR IED family devices from version 7.0 up to 8.60 allows an attacker to provide input that enstablishes a TCP connection through a port forwarding. The lack of the IP address and port validation may allow the attacker to bypass firewall rules or to send malicious traffic in the network
{
"affected": [],
"aliases": [
"CVE-2025-27253"
],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-10T09:15:10Z",
"severity": "MODERATE"
},
"details": "An improper input validation in GE Vernova UR IED family devices from version 7.0 up to 8.60 allows an attacker to provide input that enstablishes a TCP connection through a port forwarding. The lack of the IP address and port validation may allow the attacker to bypass firewall rules or to send malicious traffic in the network",
"id": "GHSA-j5vp-q6vg-25mf",
"modified": "2025-03-12T12:30:56Z",
"published": "2025-03-10T09:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27253"
},
{
"type": "WEB",
"url": "https://www.gevernova.com/grid-solutions/app/DownloadFile.aspx?prod=urfamily\u0026type=21\u0026file=76"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-27253"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JV2H-4P9V-WF5W
Vulnerability from github – Published: 2026-06-19 15:12 – Updated: 2026-06-19 15:12Impact
The CVE-2026-47211 fix (0.39.0) added _UNTRUSTED_ENV_DENYLIST to stop an untrusted project-directory .env from redirecting execution. The denylist was incomplete — several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command execution by shipping a .env (auto-loaded at import, no review step):
- Backend config-home roots
CODEX_HOME,OPENCODE_CONFIG,OPENCODE_CONFIG_DIR,XDG_CONFIG_HOME: a spawned vendor CLI resolves its config from these.CODEX_HOME=./.evil+ committed./.evil/config.tomlredirects the nested Codex agent to attacker config —mcp_servers.<name>.command/args(RCE) andapproval_policy="never"/sandbox_mode="danger-full-access"(silent removal of the human approval gate). (reported by matte1782) - MCP bridge / plugin execution roster
OUROBOROS_MCP_CONFIG(the YAML's servercommand/argsare spawned via stdio_client — RCE),OUROBOROS_PLUGIN_LOCKFILE,OUROBOROS_PLUGIN_TRUST_ROOT(redirect the installed-plugin roster / trust root soooo <name>dispatches into attacker code). (reported by hackkim) - SSRF guard toggle
OUROBOROS_ALLOW_LOCAL_TRANSPORT(re-enables loopback/private MCP transport targets). - Instruction / capability roots
OUROBOROS_AGENTS_DIR,COPILOT_CUSTOM_INSTRUCTIONS_DIRS(replace spawned sub-agent role prompts),OUROBOROS_RUNTIME_PROFILE(backend selector),OUROBOROS_TOOL_CAPABILITIES(override YAML can lower a tool'sapproval_class, weakening the approval gate).
Additionally, the MCP bridge auto-loaded ./.ouroboros/mcp_servers.yaml from the working directory (create_bridge_from_env(cwd=Path.cwd())), so running ooo inside a malicious repo spawned the committed roster's command — RCE with no .env at all. (cwd-branch noted by hackkim)
Patches
Fixed in 0.42.1. All listed keys were added to _UNTRUSTED_ENV_DENYLIST; the cwd auto-discovery branch was removed (only the explicit OUROBOROS_MCP_CONFIG env var and ~/.ouroboros/mcp_servers.yaml remain, both trusted). The regression suite now derives from the source denylist to prevent future drift.
Workarounds
Do not run Ouroboros from an untrusted/cloned repository directory; remove any project-directory .env and ./.ouroboros/mcp_servers.yaml before running.
Credit
Reported privately via coordinated disclosure by matte1782 and hackkim (https://github.com/hackkim).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.42.0"
},
"package": {
"ecosystem": "PyPI",
"name": "ouroboros-ai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.42.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-15",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T15:12:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nThe CVE-2026-47211 fix (0.39.0) added `_UNTRUSTED_ENV_DENYLIST` to stop an untrusted project-directory `.env` from redirecting execution. The denylist was incomplete \u2014 several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command execution by shipping a `.env` (auto-loaded at import, no review step):\n\n- **Backend config-home roots** `CODEX_HOME`, `OPENCODE_CONFIG`, `OPENCODE_CONFIG_DIR`, `XDG_CONFIG_HOME`: a spawned vendor CLI resolves its config from these. `CODEX_HOME=./.evil` + committed `./.evil/config.toml` redirects the nested Codex agent to attacker config \u2014 `mcp_servers.\u003cname\u003e.command/args` (RCE) and `approval_policy=\"never\"` / `sandbox_mode=\"danger-full-access\"` (silent removal of the human approval gate). (reported by matte1782)\n- **MCP bridge / plugin execution roster** `OUROBOROS_MCP_CONFIG` (the YAML\u0027s server `command`/`args` are spawned via stdio_client \u2014 RCE), `OUROBOROS_PLUGIN_LOCKFILE`, `OUROBOROS_PLUGIN_TRUST_ROOT` (redirect the installed-plugin roster / trust root so `ooo \u003cname\u003e` dispatches into attacker code). (reported by hackkim)\n- **SSRF guard toggle** `OUROBOROS_ALLOW_LOCAL_TRANSPORT` (re-enables loopback/private MCP transport targets).\n- **Instruction / capability roots** `OUROBOROS_AGENTS_DIR`, `COPILOT_CUSTOM_INSTRUCTIONS_DIRS` (replace spawned sub-agent role prompts), `OUROBOROS_RUNTIME_PROFILE` (backend selector), `OUROBOROS_TOOL_CAPABILITIES` (override YAML can lower a tool\u0027s `approval_class`, weakening the approval gate).\n\nAdditionally, the MCP bridge auto-loaded `./.ouroboros/mcp_servers.yaml` from the working directory (`create_bridge_from_env(cwd=Path.cwd())`), so running `ooo` inside a malicious repo spawned the committed roster\u0027s `command` \u2014 RCE with no `.env` at all. (cwd-branch noted by hackkim)\n\n### Patches\nFixed in 0.42.1. All listed keys were added to `_UNTRUSTED_ENV_DENYLIST`; the cwd auto-discovery branch was removed (only the explicit `OUROBOROS_MCP_CONFIG` env var and `~/.ouroboros/mcp_servers.yaml` remain, both trusted). The regression suite now derives from the source denylist to prevent future drift.\n\n### Workarounds\nDo not run Ouroboros from an untrusted/cloned repository directory; remove any project-directory `.env` and `./.ouroboros/mcp_servers.yaml` before running.\n\n### Credit\nReported privately via coordinated disclosure by matte1782 and hackkim (https://github.com/hackkim).",
"id": "GHSA-jv2h-4p9v-wf5w",
"modified": "2026-06-19T15:12:25Z",
"published": "2026-06-19T15:12:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Q00/ouroboros/security/advisories/GHSA-jv2h-4p9v-wf5w"
},
{
"type": "PACKAGE",
"url": "https://github.com/Q00/ouroboros"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys"
}
GHSA-MFQV-QJXH-RPRM
Vulnerability from github – Published: 2024-11-26 12:41 – Updated: 2024-11-26 12:41A CWE-15 "External Control of System or Configuration Setting" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability can be exploited by authenticated users by restoring a tampered configuration backup.
{
"affected": [],
"aliases": [
"CVE-2024-50358"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T11:21:59Z",
"severity": "HIGH"
},
"details": "A CWE-15 \"External Control of System or Configuration Setting\" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (\u003c= 1.6.3), EKI-6333AC-2GD (\u003c= v1.6.3) and EKI-6333AC-1GPO (\u003c= v1.2.1). The vulnerability can be exploited by authenticated users by restoring a tampered configuration backup.",
"id": "GHSA-mfqv-qjxh-rprm",
"modified": "2024-11-26T12:41:36Z",
"published": "2024-11-26T12:41:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50358"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-50358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MGP4-67W5-R388
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2024-04-04 05:45Versions 00.07.00 through 00.07.03.4 of Teltonika’s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2023-32349"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-22T16:15:10Z",
"severity": "HIGH"
},
"details": "\nVersions 00.07.00 through 00.07.03.4 of Teltonika\u2019s RUT router firmware contain a packet dump utility that contains proper validation for filter parameters. However, variables for validation checks are stored in an external configuration file. An authenticated attacker could use an exposed UCI configuration utility to change these variables and enable malicious parameters in the dump utility, which could result in arbitrary code execution.\n\n",
"id": "GHSA-mgp4-67w5-r388",
"modified": "2024-04-04T05:45:30Z",
"published": "2023-07-06T21:14:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32349"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4VP-3HQC-MFGR
Vulnerability from github – Published: 2024-12-05 15:31 – Updated: 2025-02-27 18:31Information Disclosure vulnerabilities allow access to application configuration information. Affected products:
ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02
{
"affected": [],
"aliases": [
"CVE-2024-51543"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-05T13:15:07Z",
"severity": "HIGH"
},
"details": "Information Disclosure vulnerabilities allow access to application configuration information.\u00a0\nAffected products:\n\n\nABB ASPECT - Enterprise v3.08.02; \nNEXUS Series v3.08.02; \nMATRIX Series v3.08.02",
"id": "GHSA-p4vp-3hqc-mfgr",
"modified": "2025-02-27T18:31:02Z",
"published": "2024-12-05T15:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51543"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PP54-3H2G-F979
Vulnerability from github – Published: 2024-05-16 09:33 – Updated: 2024-05-16 09:33A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the /apply_settings and /execute_code endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the /apply_settings endpoint. Subsequently, arbitrary commands can be executed remotely via the /execute_code endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.
{
"affected": [],
"aliases": [
"CVE-2024-4326"
],
"database_specific": {
"cwe_ids": [
"CWE-15"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-16T09:15:16Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the `/apply_settings` endpoint. Subsequently, arbitrary commands can be executed remotely via the `/execute_code` endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.",
"id": "GHSA-pp54-3h2g-f979",
"modified": "2024-05-16T09:33:09Z",
"published": "2024-05-16T09:33:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4326"
},
{
"type": "WEB",
"url": "https://github.com/parisneo/lollms-webui/commit/abb4c6d495a95a3ef5b114ffc57f85cd650b905e"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/2ab9f03d-0538-4317-be21-0748a079cbdd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation
Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.
Mitigation
In general, do not allow user-provided or otherwise untrusted data to control sensitive values. The leverage that an attacker gains by controlling these values is not always immediately obvious, but do not underestimate the creativity of the attacker.
CAPEC-13: Subverting Environment Variable Values
The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.
CAPEC-146: XML Schema Poisoning
An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.
CAPEC-176: Configuration/Environment Manipulation
An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.
CAPEC-203: Manipulate Registry Information
An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.
CAPEC-270: Modification of Registry Run Keys
An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.
CAPEC-271: Schema Poisoning
An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.
CAPEC-579: Replace Winlogon Helper DLL
Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.