This archive includes all published incident pages. Page 12 of 16.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary The OpenClaw Nostr channel plugin (optional, disabled by default, installed separately) exposes profile management HTTP endpoints under /api/channels/nostr/:accountId/profile (GET/PUT) and...
Incident date: February 17, 2026 | Published: February 25, 2026
Summary Versions of the openclaw npm package prior to 2026.2.2 could be coerced into fetching arbitrary http(s) URLs during attachment/media hydration.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the...
Incident date: February 17, 2026 | Published: February 25, 2026
Impact An issue was discovered in httpsig-hyper where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison: rust if matches!
Incident date: February 17, 2026 | Published: February 25, 2026
**Description:** A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of service (DoS) condition or upload arbitrary files.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node.
Incident date: February 17, 2026 | Published: February 25, 2026
Impact Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or...
Incident date: February 17, 2026 | Published: February 25, 2026
Security Advisory:Unauthenticated File Upload in Gogs Vulnerability Type: Unauthenticated File Upload Date: Aug 5, 2025 Discoverer: OpenAI Security Research ## Summary Gogs exposes unauthenticated file upload endpoints by default.
Incident date: February 17, 2026 | Published: February 25, 2026
Summary An access control bypass vulnerability in Gogs web interface allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely...
Incident date: February 17, 2026 | Published: February 25, 2026
**Summary** A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI ( internal/route/repo/issue.