Common Weakness Enumeration

CWE-706

Allowed-with-Review

Use of Incorrectly-Resolved Name or Reference

Abstraction: Class · Status: Incomplete

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

148 vulnerabilities reference this CWE, most recent first.

GHSA-PF84-MFP6-QCGG

Vulnerability from github – Published: 2026-06-17 21:34 – Updated: 2026-06-17 21:34
VLAI
Details

Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-10696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T20:16:47Z",
    "severity": "HIGH"
  },
  "details": "Use of an incorrectly resolved name or reference in the pinget backend \nin Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community \ncatalog contributor to cause an installed application to be correlated \nto an unrelated, attacker-controlled catalog package and to execute an \nattacker-controlled installer via a crafted catalog package whose \nnormalized name is contained as a substring within the installed \napplication name when a user applies the proposed update.",
  "id": "GHSA-pf84-mfp6-qcgg",
  "modified": "2026-06-17T21:34:38Z",
  "published": "2026-06-17T21:34:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10696"
    },
    {
      "type": "WEB",
      "url": "https://devolutions.net/security/advisories/DEVO-2026-0019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ6J-C37F-96X2

Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-05-27 00:00
VLAI
Details

Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-20T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Herd Effects plugin \u003c= 5.2 at WordPress.",
  "id": "GHSA-pq6j-c37f-96x2",
  "modified": "2022-05-27T00:00:34Z",
  "published": "2022-05-21T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29448"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/mwp-herd-effect/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q472-C8JF-W689

Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-23 00:00
VLAI
Details

Allows a remote user to read files on the camera's OS "GetFileContent.cgi". Reading arbitrary files on the camera's OS as root user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-18T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Allows a remote user to read files on the camera\u0027s OS \"GetFileContent.cgi\". Reading arbitrary files on the camera\u0027s OS as root user.",
  "id": "GHSA-q472-c8jf-w689",
  "modified": "2022-07-23T00:00:22Z",
  "published": "2022-07-19T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30621"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q524-5RG8-2J6P

Vulnerability from github – Published: 2025-05-22 15:34 – Updated: 2025-05-22 15:34
VLAI
Details

Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-69",
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T13:15:57Z",
    "severity": "MODERATE"
  },
  "details": "Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.",
  "id": "GHSA-q524-5rg8-2j6p",
  "modified": "2025-05-22T15:34:49Z",
  "published": "2025-05-22T15:34:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3941"
    },
    {
      "type": "WEB",
      "url": "https://docs.niagara-community.com/category/tech_bull"
    },
    {
      "type": "WEB",
      "url": "https://www.honeywell.com/us/en/product-security#security-notices"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q889-WJJ8-C346

Vulnerability from github – Published: 2022-11-22 00:30 – Updated: 2022-11-28 18:30
VLAI
Details

An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V1 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V1 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for \"Ghost\" domain names.",
  "id": "GHSA-q889-wjj8-c346",
  "modified": "2022-11-28T18:30:16Z",
  "published": "2022-11-22T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30257"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-81"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8VH-378G-2PJV

Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08
VLAI
Details

MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup's archive file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-11T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup\u0027s archive file.",
  "id": "GHSA-q8vh-378g-2pjv",
  "modified": "2022-05-13T01:08:16Z",
  "published": "2022-05-13T01:08:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eddietcc/CVEnotes/blob/master/MyWebSQL/RCE/readme.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9F5-625G-XM39

Vulnerability from github – Published: 2025-03-20 18:48 – Updated: 2025-03-20 18:48
VLAI
Summary
OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`
Details

Summary

URLs starting with // are not parsed properly, and the request REQUEST_FILENAME variable contains a wrong value, leading to potential rules bypass.

Details

If a request is made on an URI starting with //, coraza will set a wrong value in REQUEST_FILENAME. For example, if the URI //bar/uploads/foo.php?a=b is passed to coraza: , REQUEST_FILENAME will be set to /uploads/foo.php.

The root cause is the usage of url.Parse to parse the URI in ProcessURI.

url.Parse can parse both absolute URLs (starting with a scheme) or relative ones (just the path). //bar/uploads/foo.php is a valid absolute URI (the scheme is empty), url.Parse will consider bar as the host and the path will be set to /uploads/foo.php.

PoC

package main

import (
    "fmt"
    "net/url"
    "os"

    "github.com/corazawaf/coraza/v3"
)

const testRule = `
SecDebugLogLevel 9
SecDebugLog /dev/stdout
SecRule REQUEST_FILENAME "@rx /bar/uploads/.*\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny"
`

func main() {
    var testURL = "//bar/uploads/foo.php"

    if os.Getenv("TEST_URL") != "" {
        testURL = os.Getenv("TEST_URL")
    }

    fmt.Printf("Testing URL: %s\n", testURL)

    config := coraza.NewWAFConfig().WithDirectives(testRule)

    waf, err := coraza.NewWAF(config)

    if err != nil {
        panic(err)
    }

    tx := waf.NewTransaction()

    tx.ProcessURI(testURL, "GET", "HTTP/1.1")

    in := tx.ProcessRequestHeaders()

    if in != nil {
        fmt.Printf("%+v\n", in)
    }
}

Impact

Potential bypass of rules using REQUEST_FILENAME.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/jptosso/coraza-waf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/corazawaf/coraza/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-29914"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T18:48:38Z",
    "nvd_published_at": "2025-03-20T18:15:18Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nURLs starting with `//` are not parsed properly, and the request `REQUEST_FILENAME` variable contains a wrong value, leading to potential rules bypass.\n\n### Details\n\nIf a request is made on an URI starting with `//`, coraza will set a wrong value in `REQUEST_FILENAME`.\nFor example, if the URI `//bar/uploads/foo.php?a=b` is passed to coraza: , `REQUEST_FILENAME` will be set to `/uploads/foo.php`.\n\nThe root cause is the usage of `url.Parse` to parse the URI in [ProcessURI](https://github.com/corazawaf/coraza/blob/8b612f4e6e18c606e371110227bc7669dc714cab/internal/corazawaf/transaction.go#L768).\n\n`url.Parse` can parse both absolute URLs (starting with a scheme) or relative ones (just the path). \n`//bar/uploads/foo.php` is a valid absolute URI (the scheme is empty), `url.Parse` will consider `bar` as the host and the path will be set to `/uploads/foo.php`.\n\n### PoC\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/url\"\n\t\"os\"\n\n\t\"github.com/corazawaf/coraza/v3\"\n)\n\nconst testRule = `\nSecDebugLogLevel 9\nSecDebugLog /dev/stdout\nSecRule REQUEST_FILENAME \"@rx /bar/uploads/.*\\.(h?ph(p|tm?l?|ar)|module|shtml)\" \"id:1,phase:1,deny\"\n`\n\nfunc main() {\n\tvar testURL = \"//bar/uploads/foo.php\"\n\n\tif os.Getenv(\"TEST_URL\") != \"\" {\n\t\ttestURL = os.Getenv(\"TEST_URL\")\n\t}\n\n\tfmt.Printf(\"Testing URL: %s\\n\", testURL)\n\n\tconfig := coraza.NewWAFConfig().WithDirectives(testRule)\n\n\twaf, err := coraza.NewWAF(config)\n\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\ttx := waf.NewTransaction()\n\n\ttx.ProcessURI(testURL, \"GET\", \"HTTP/1.1\")\n\n\tin := tx.ProcessRequestHeaders()\n\n\tif in != nil {\n\t\tfmt.Printf(\"%+v\\n\", in)\n\t}\n}\n```\n\n### Impact\n\nPotential bypass of rules using `REQUEST_FILENAME`.",
  "id": "GHSA-q9f5-625g-xm39",
  "modified": "2025-03-20T18:48:38Z",
  "published": "2025-03-20T18:48:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/security/advisories/GHSA-q9f5-625g-xm39"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29914"
    },
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/commit/4722c9ad0d502abd56b8d6733c6b47eb4111742d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/corazawaf/coraza"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OWASP Coraza WAF has parser confusion which leads to wrong URI in `REQUEST_FILENAME`"
}

GHSA-QHHJ-Q26M-MRW8

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2024-03-27 15:30
VLAI
Details

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths case insensitively,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-05T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take \u0027issuercert\u0027 into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn\u0027t include the \u0027issuer cert\u0027 which a transfer can setto qualify how to verify the server certificate.",
  "id": "GHSA-qhhj-q26m-mrw8",
  "modified": "2024-03-27T15:30:33Z",
  "published": "2022-05-24T19:10:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22924"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1223565"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5197"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210902-0003"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-732250.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QM9X-V7CX-7RQ4

Vulnerability from github – Published: 2026-03-26 19:08 – Updated: 2026-04-10 19:37
VLAI
Summary
OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper
Details

Summary

Allow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 39409b6a6dd4239deea682e626bac9ba547bfb14

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • src/infra/dispatch-wrapper-resolution.ts now unwraps /usr/bin/time and binds approvals to the real inner executable.
  • src/infra/exec-approvals-allow-always.test.ts ships regression coverage for time-wrapper allow-always approval bypasses.

OpenClaw thanks @YLChen-007 for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T19:08:45Z",
    "nvd_published_at": "2026-04-10T17:17:08Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nAllow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `39409b6a6dd4239deea682e626bac9ba547bfb14`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/dispatch-wrapper-resolution.ts now unwraps /usr/bin/time and binds approvals to the real inner executable.\n- src/infra/exec-approvals-allow-always.test.ts ships regression coverage for time-wrapper allow-always approval bypasses.\n\nOpenClaw thanks @YLChen-007 for reporting.",
  "id": "GHSA-qm9x-v7cx-7rq4",
  "modified": "2026-04-10T19:37:43Z",
  "published": "2026-03-26T19:08:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-unregistered-time-dispatch-wrapper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s system.run allowlist can be bypassed through an unregistered time dispatch wrapper"
}

GHSA-QR79-4QWM-2CWC

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable to Insecure Direct Object Reference (IDOR). Any attacker will be able to see the invoices of different users by changing the id parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-01T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Sourcecodester Phone Shop Sales Managements System 1.0 is vulnerable to Insecure Direct Object Reference (IDOR). Any attacker will be able to see the invoices of different users by changing the id parameter.",
  "id": "GHSA-qr79-4qwm-2cwc",
  "modified": "2022-05-24T19:06:42Z",
  "published": "2022-05-24T19:06:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35337"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50050"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-159: Redirect Access to Libraries

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

CAPEC-177: Create files with the same name as files protected with a higher classification

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

CAPEC-48: Passing Local Filenames to Functions That Expect a URL

This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.

CAPEC-641: DLL Side-Loading

An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.