This archive includes all published incident pages. Page 10 of 16.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary **/port-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/port-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary **/device-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/device-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. ### Details In lib/wifi.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary This is a scanning bypass to scan_pytorch function in picklescan . As we can see in the implementation of [get_magic_number()](https://github.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles ,...
Incident date: February 18, 2026 | Published: February 25, 2026
Summary The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections: - sendMediaFeishu(mediaUrl) - Feishu DocX markdown image URLs (write/append -> image processing) ### Affected versions - = 2026.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary The BlueBubbles extension accepted attacker-controlled local filesystem paths via mediaPath and could read arbitrary local files from disk before sending them as media attachments.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary Inter-session messages sent via sessions_send could be interpreted as direct end-user instructions because they were persisted as role: "user" without provenance metadata.
Incident date: February 18, 2026 | Published: February 25, 2026
**Date:** 2025-12-07 **Vulnerability:** Server-Side Request Forgery (SSRF) **Component:** Webhooks Module ## Executive Summary A critical security vulnerability exists in the LibreDesk Webhooks module that allows an authenticated...
Incident date: February 18, 2026 | Published: February 25, 2026
Command hijacking via PATH handling **Discovered:** 2026-02-04 **Reporter:** @akhmittra ## Summary OpenClaw previously accepted untrusted PATH sources in limited situations.