complete list of pull requests involved in this release. ##### 5.4 5.4.1 A security release to fix CVE-2018-8768. Thanks to Alex for identifying this bug, and Jonathan Kamens and Scott Sanderson at Quantopian a couple bug fixes, and improvements to the newly-released token authentication. Security fix: • CVE-2016-9971. Fix CSRF vulnerability, where malicious forms could create untitled files and start kernels security fix. All users are strongly encouraged to upgrade to 4.2.2. Highlights: • Security fix: CVE-2016-6524, where untrusted latex output could be added to the page in a way that could execute javascript

to upgrade pip. Check pip version with pip --version. ##### 18.1 5.4.1 A security release to fix CVE-2018-8768. Thanks to Alex for identifying this bug, and Jonathan Kamens and Scott Sanderson at Quantopian couple bug fixes, and improvements to the newly-released token authentication. ## Security fix: • CVE-2016-9971. Fix CSRF vulnerability, where malicious forms could create untitled files and start kernels security fix. All users are strongly encouraged to upgrade to 4.2.2. Highlights: • Security fix: CVE-2016-6524, where untrusted latex output could be added to the page in a way that could execute javascript

Upgrade bootstrap to 3.4, fixing an XSS vulnerability, which has been assigned CVE-2018-14041 [https://nvd.nist.gov/vuln/detail/CVE-2018-14041] (PR #4271 [https://github.com/jupyter/notebook/pull/4271/]). #### to execute javascript. CVE request pending. #### 5.7.1 5.7.1 contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending. #### ] involved in this release. #### 5.4.1 A security release to fix CVE-2018-8768 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8768]. Thanks to Alex [https://hackerone.com/pisarenko] for identifying

couple bug fixes, and improvements to the newly-released token authentication. ## Security fix: - CVE-2016-9971. Fix CSRF vulnerability, where malicious forms could create untitled files and start kernels security fix. All users are strongly encouraged to upgrade to 4.2.2. Highlights: • Security fix: CVE-2016-6524, where untrusted latex output could be added to the page in a way that could execute javascript 0.5 Security fixes for maliciously crafted files. CVE-2015-6938 [http://www.openwall.com/lists/oss-security/2015/09/02/3]: malicious filenames CVE-2015-7337 [http://www.openwall.com/lists/oss-security/2015/09/16/3]:

Internet Explorer through script errors, but this has not been demonstrated with other browsers. A CVE has been requested for this vulnerability. ##### 5.2 5.7.5 • Fix compatibility with tornado 6 (PR which has been assigned CVE-2018-14041 (PR #4271). ##### 5.5 5.7.2 5.7.2 contains a security fix preventing malicious directory names from being able to execute javascript. CVE request pending. ##### security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending. ##### 5.7 5.7.0 New features: • Update to CodeMirror to 5.37, which includes f-string

package management system forked from ipkg, and is intended for use on embedded devices. Tracked as CVE-2020-7982, the addressed issue resides in the package list parse logic of opkg, which did not perform

Anthropic商标警告。因名称与Claude过于相似，被迫改名为Moltbot(Molt=龙虾蜕壳)。 2026年1月30日 再次改名OpenClaw。强调开源属性，保留龙虾主题。 2026年2月初 安全危机。CVE-2026-25253RCE漏洞被发现(CVSS8.8/10)，13.5万暴露实例中5万+可被直接攻击。同期ClawHavoc供应链攻击爆发，ClawHub约12%的Skills被确认为恶意。 2026年2月初 OpenClaw的火爆背后也有阴影：ClawHub13,729个Skills中超过 50%被判定为垃圾/重复/低质量，396个被标记为恶意。一觉醒来收到$1,100 API账单的恐怖故事在社区频繁出现。CVE-2026-25253 RCE漏洞曾让13.5万个暴露实例面临风险。「养虾」虽然火，但安全和成本控制是你必须认真对待的事。 05 整体架构 Architecture Overview OpenClaw采用 在不到5个月的历史中，OpenClaw已经经历了至少9起重大安全事件，CNNVD累计收录漏洞82个（严重12个、高危21个），工信部级别的安全预警也已发出。 CVE-2026-25253：远程代码执行漏洞 项目 详情 CVE编号 CVE-2026-25253 CVSS评分 8.8/10（高危） 类型 远程代码执行（RCE） 原理 WebSocket origin header绕过。攻击者可以伪造origin

##### 1.1.2. CVE CVE-2016-3709 CVE-2020-35525 CVE-2020-35527 CVE-2020-36516 CVE-2020-36558 • CVE-2020-36558 CVE-2021-3640 CVE-2021-30002 CVE-2022-0168 CVE-2022-0561 CVE-2022-0562 CVE-2022-0617 CVE-2022-0617 CVE-2022-0854 CVE-2022-0865 CVE-2022-0891 CVE-2022-0908 • CVE-2022-0909 • CVE-2022-0924 CVE-2022-1016 CVE-2022-1048 CVE-2022-1055 • CVE-2022-1184 CVE-2022-1292 CVE-2022-1304 CVE-2022-1355 CVE-2022-1355 • CVE-2022-1586 CVE-2022-1785 • CVE-2022-1852 • CVE-2022-1897 • CVE-2022-1927 CVE-2022-2068 CVE-2022-2078 CVE-2022-2097 CVE-2022-2509 CVE-2022-2586 CVE-2022-2639 CVE-2022-2938 CVE-2022-3515

.... 9 1.2.2.2. CVE ..... 9 1.2.3. OpenShift Logging 5.0.8 ..... 10 1.2.3.1. 程序错误修复 ..... 10 1.2.4. OpenShift Logging 5.0.7 ..... 10 1.2.4.1. 程序错误修复 ..... 10 1.2.4.2. CVE ..... 10 1.2.5. OpenShift Logging 5.0.6 ..... 13 1.2.5.1. 程序错误修复 ..... 13 1.2.5.2. CVE ..... 13 1.2.6. OpenShift Logging 5.0.5 ..... 15 1.2.6.1. 安全修复 ..... 15 1.2.7. OpenShift Logging 5.0.4 ..... 15 1.2.7 字段的值或默认值（以较少者为准）。(LOG-1736) ##### 1.2.2. CVE CVE-2020-25648 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-36222 CVE-2021-37576 • CVE-2021-37576 CVE-2021-37750 CVE-2021-38201 ####### 1.2.3. OpenShift

weblogic CVE-2019-2725 CVE-2019-2729 CVE-2018-3191 CVE-2018-2628 CVE-2018-2893 CVE-2018-2894 CVE-2017-3506 CVE-2017-10271 CVE-2017-3248 CVE-2016-0638 CVE-2016-3510 CVE-2015-4852 CVE-2014-4210 控制台弱口令，部署webshell • Jboss CVE-2015-7501 CVE-2017-7504 CVE-2017-12149 未授权访问，部署webshell 控制台弱口令，部署webshell ### • wildfly [jboss 7.x 改名为 wildfly] 控制台弱口令，部署webshell Tomcat CVE-2016-8735 CVE-2017-12615 [readonly 的情况较少, 稍鸡肋] CVE-2020-1938 [AJP协议漏洞，直接把8009端口暴露在外网的不太多，稍鸡肋] 控制台弱口令，部署webshelll [注：7.x版本后，默认加了防爆机制] • Jekins CVE-2018-1999002 [任意文件读取] 未授权访问，任意命令执行 控制台弱口令，任意命令执行 ## • ElasticSearch CVE-2014-3120 [专门针对老版本(无沙盒)RCE]