Security Advisories
A list of vulnerabilities (CVE / GHSA) publicly disclosed by Tencent Zhuque Lab. View as JSONopen_in_new
bug_report
Vulnerabilities
67
deployed_code
Products
21
leaderboard
Severity Breakdown
-
open_in_newHigh CVE-2026-43584 CWE-184
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
deployed_code Affected: openclaw < 2026.4.10 calendar_today Published: April 17, 2026 -
open_in_newHigh CVE-2026-43533 CWE-23
OpenClaw: QQBot media tags could read arbitrary local files through reply text
deployed_code Affected: openclaw < 2026.4.10 calendar_today Published: April 17, 2026 -
open_in_newHigh CVE-2026-42427 CWE-78/CWE-184
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newHigh GHSA-jccr-rrw2-vc8h CWE-185/CWE-200
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure
deployed_code Affected: openclaw <= 2026.3.24 calendar_today Published: March 31, 2026 -
open_in_newHigh CVE-2026-4715 CWE-908
Uninitialized memory in the Graphics: Canvas2D component
deployed_code Affected: firefox < 140.9; < 149 calendar_today Published: March 24, 2026 -
open_in_newHigh CVE-2026-28479 CWE-327/CWE-328
OpenClaw replaced a deprecated sandbox hash algorithm
deployed_code Affected: openclaw <= 2026.2.14 calendar_today Published: February 19, 2026 -
open_in_newHigh CVE-2025-39982
Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync
deployed_code Affected: Linux / bluetooth >= 5.18, < 6.1.155; >= 5.18, < 6.6.109; >= 5.18, < 6.12.50; >= 5.18, < 6.16.10; >= 5.18, < 6.17 calendar_today Published: October 15, 2025 -
open_in_newHigh CVE-2025-39981
Bluetooth: MGMT: Fix possible UAFs
deployed_code Affected: Linux / bluetooth >= 5.17, < 6.6.140; >= 5.17, < 6.12.59; >= 5.17, < 6.16.10; >= 5.17, < 6.17 calendar_today Published: October 15, 2025 -
open_in_newHigh CVE-2025-23356 CWE‑306
NVIDIA Isaac Lab contains a vulnerability in SB3 configuration parsing
deployed_code Affected: NVIDIA All versions prior to v2.2.1 calendar_today Published: October 13, 2025 -
open_in_newHigh CVE-2025-61784 CWE-22/CWE-918
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities
deployed_code Affected: llamafactory <= 0.9.3 calendar_today Published: October 07, 2025
Per page
