ALL POSTS

Key Findings Critical RCE vulnerability CVE-2026-39987 in Marimo (CVSS 9.3) exploited within 9 hours 41 minutes of disclosure Unauthenticated attackers can obtain full interactive shell access on exposed instances through /terminal/ws WebSocket endpoint Affects all Marimo versions up to 0.20.4; patched in version 0.23.0 Unknown threat actor built working exploit from advisory alone, with no public PoC available Attacker conducted credential theft operation and reconnaissance,

Key Findings OpenClaw has fixed a high-severity security issue that could have allowed a malicious website to connect to a locally running AI agent and take over control. The flaw, dubbed "ClawJacked" by Oasis Security, enables a malicious website to silently open a WebSocket connection to the local OpenClaw gateway and brute-force the password. Upon successful authentication, the malicious script can register as a trusted device, which is automatically approved by the gatewa