Security Advisories
A list of vulnerabilities (CVE / GHSA) publicly disclosed by Tencent Zhuque Lab. View as JSONopen_in_new
bug_report
Vulnerabilities
67
deployed_code
Products
21
leaderboard
Severity Breakdown
-
open_in_newMedium CVE-2026-12491 CWE-436
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
deployed_code Affected: vllm >= 0.11.0, <= 0.23.0 calendar_today Published: June 17, 2026 -
open_in_newMedium CVE-2026-45386 CWE-639
An IDOR vulnerability exists in the pin_channel_message API endpoint
deployed_code Affected: open-webui < 0.9.5 calendar_today Published: May 11, 2026 -
open_in_newMedium CVE-2026-45385 CWE-639
An IDOR vulnerability exists in the update_message_by_id API endpoint
deployed_code Affected: open-webui < 0.9.5 calendar_today Published: May 11, 2026 -
open_in_newLow CVE-2026-43529 CWE-367
OpenClaw: TOCTOU read in exec script preflight
deployed_code Affected: OpenClaw < 2026.4.10 calendar_today Published: May 05, 2026 -
open_in_newMedium CVE-2026-42310 CWE-835
Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
deployed_code Affected: pillow >= 4.2.0, < 12.2.0 calendar_today Published: May 04, 2026 -
open_in_newLow GHSA-j4c5-89f5-f3pm CWE-918
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks
deployed_code Affected: openclaw < 2026.4.20 calendar_today Published: April 25, 2026 -
open_in_newMedium CVE-2026-42439 CWE-862/CWE-918
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
deployed_code Affected: openclaw < 2026.4.10 calendar_today Published: April 17, 2026 -
open_in_newMedium CVE-2026-43576 CWE-601/CWE-918
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
deployed_code Affected: openclaw < 2026.4.5 calendar_today Published: April 17, 2026 -
open_in_newHigh CVE-2026-43584 CWE-184
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
deployed_code Affected: openclaw < 2026.4.10 calendar_today Published: April 17, 2026 -
open_in_newHigh CVE-2026-43533 CWE-23
OpenClaw: QQBot media tags could read arbitrary local files through reply text
deployed_code Affected: openclaw < 2026.4.10 calendar_today Published: April 17, 2026
Per page
