Security Vulnerabilities
OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection.
To remediate this issue, users should upgrade to version 2.0.5.1 or later.
CVSS Score
7.3
EPSS Score
0.001
Published
2026-04-03
A specific administrative endpoint is accessible without proper authentication, exposing device management functions.
CVSS Score
8.7
EPSS Score
0.001
Published
2026-04-03
Development and test API endpoints are present that mirror production functionality.
CVSS Score
6.9
EPSS Score
0.0
Published
2026-04-03
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.
CVSS Score
6.0
EPSS Score
0.0
Published
2026-04-03
Improper neutralization of special elements in the authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to execute arbitrary code or redirect authentication flows by using specially crafted connection parameters that are processed by the driver during user-initiated authentication.
To remediate this issue, users should upgrade to version 2.1.0.0.
CVSS Score
7.3
EPSS Score
0.0
Published
2026-04-03
Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations.
To remediate this issue, users should upgrade to version 2.1.0.0.
CVSS Score
7.1
EPSS Score
0.001
Published
2026-04-03
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-04-03
Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the uploads directory during import. This issue has been patched in version 11.6.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-04-03
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.
CVSS Score
9.2
EPSS Score
0.001
Published
2026-04-03
A specific administrative endpoint notifications is accessible without proper authentication.
CVSS Score
6.9
EPSS Score
0.001
Published
2026-04-03