Security vulnerabilities I've reported and documented across various open‑source and commercial projects.
Each entry includes:
-
A link to the official CVE record (NVD/MITRE)
-
A short summary of the issue and its impact
-
A write‑up and PoC for reference
| CVE | Summary | Writeup and PoC |
|---|---|---|
| CVE‑2026‑22788 | WebErpMesV2 prior to 1.19 exposes multiple unauthenticated API endpoints, allowing remote attackers to read business‑critical data (companies, quotes, orders, tasks, whiteboards) and perform limited write actions such as creating companies and modifying collaboration whiteboards. | Report |
| CVE‑2026‑22789 | WebErpMesV2 prior to 1.19 contains a file upload validation bypass in multiple controllers, enabling authenticated users to upload arbitrary files (including PHP scripts) that can lead to Remote Code Execution (RCE). | Report |
| CVE‑2026‑23946 | Tendenci ≤ 15.3.11 uses unsafe deserialization in the Helpdesk module; use of pickle.loads() by authenticated staff users can trigger arbitrary code execution. |
Report |
| CVE‑2026‑27013 | fabric.js before 7.2.0 fails to escape user‑controlled strings in SVG attributes during export, leading to stored XSS when attacker‑controlled JSON is loaded and exported as SVG. | Report |
| CVE‑2026‑27203 | eBay API MCP Server's updateEnvFile in src/auth/oauth.ts writes unvalidated input to .env, enabling environment variable injection that can overwrite configuration, cause denial of service, or enable RCE under certain conditions. |
Report |
| CVE‑2026‑12568 | bbot downloads Postman workspaces using the workspace name as a local path without sanitization, allowing path traversal and arbitrary file writes outside the scan directory. |
Report |
| CVE‑2026‑31069 | BillaBear's metric filter system directly interpolates user‑controlled filter names into SQL queries using sprintf() without sanitization, allowing authenticated users with ROLE_ACCOUNT_MANAGER to inject malicious SQL and achieve full database compromise. |
Report |
| CVE‑2026‑31070 | Pharmacy Management System exposes multiple critical API endpoints without authentication middleware, allowing unauthenticated remote attackers to read all user data (including password hashes), drug inventory, doctor prescriptions, and perform unauthorized modifications and deletions. | Report |
| CVE‑2026‑31071 | Pharmacy Management System signup endpoint accepts user‑controlled role parameter without validation, allowing any unauthenticated attacker to self‑assign administrative privileges during registration. |
Report |
| CVE‑2026‑31072 | APScheduler 4.0.0a3 through 4.0.0a6 JSONSerializer and CBORSerializer use a custom deserialization path that allows arbitrary class instantiation and __setstate__ injection, enabling remote code execution when attacker-controlled serialized data is processed. |
Report |
| CVE‑2026‑31996 | OpenClaw prior to 2026.2.19 allows unintended filesystem operations via tools.exec.safeBins by abusing flags such as sort -o or grep -R, enabling write/read actions outside intended boundaries. |
Report |
| CVE‑2026‑32898 | OpenClaw prior to 2026.2.19 allows attackers to bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like tool names, potentially leading to unauthorized data access. | Report |
| CVE‑2026‑4039 | OpenClaw 2026.2.19‑2 contains an issue in the Skill Env Handler (applySkillConfigenvOverrides) that can enable code injection; upgrading to 2026.2.21‑beta.1 or later mitigates the issue. |
Report |
| CVE‑2026‑4040 | OpenClaw up to 2026.2.17 exposes information via tools.exec.safeBins by relying on file‑existence checks that leak sensitive details through timing/response differences. |
Report |
| CVE‑2026‑7722 | Prefect 3.x before 3.6.22 auth middleware exempts any GET request whose URL path ends with health or ready from authentication, allowing unauthenticated access to sensitive named endpoints such as variables (which may contain secrets), work pool configs, flow metadata, and block documents. |
Report |
| CVE‑2026‑7723 | Prefect 3.x before 3.6.14 exposes the /api/events/in WebSocket endpoint without authentication even when PREFECT_SERVER_API_AUTH_STRING is configured, allowing unauthenticated attackers to inject arbitrary events and trigger automations. |
Report |
| CVE‑2026‑7724 | Prefect 3.x up to 3.6.26 contains a DNS‑rebinding TOCTOU flaw in validate_restricted_url; the hostname is resolved separately at validation time and at connect time, enabling an attacker to bypass SSRF protections and reach internal services such as cloud metadata endpoints. |
Report |
| CVE‑2026‑7725 | Prefect 3.x before 3.6.25 passes commit_sha and directories parameters from GitRepository pull‑step configuration verbatim to git subprocess calls without validation, enabling argument injection that can cause worker denial of service or, under certain conditions, remote code execution on a git host. |
Report |
| CVE‑2026‑10802 | KeystoneJS exposes GraphQL relationship fields that allow unbounded query depth, enabling attackers to send deeply nested queries that cause exponential database operations, exhausting connection pools, CPU, and memory, leading to denial of service. | Report |
This will be continuously updated as I discover new vulnerabilities.