VYPR

Junoclaw

by Dragonmonk111

Source repositories

CVEs (5)

  • CVE-2026-43992CriMay 12, 2026
    risk 0.57cvss 9.8epss 0.00

    JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was…

  • CVE-2026-43991HigMay 12, 2026
    risk 0.48cvss 8.4epss 0.00

    JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument constructions, allowing unauthorized command execution on the host when combined with…

  • CVE-2026-43990HigMay 12, 2026
    risk 0.48cvss 8.4epss 0.00

    JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument string to the shell's parser, allowing shell metacharacters in agent-supplied…

  • CVE-2026-43989HigMay 12, 2026
    risk 0.48cvss 8.5epss 0.00

    JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved to, with no validation of location, symlink target, file size, or file format.…

  • CVE-2026-43993HigMay 12, 2026
    risk 0.46cvss 8.2epss 0.00

    JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the WAVS bridge's computeDataVerify called fetch() on agent-supplied URLs without validating scheme, port, or resolved IP, resulting in an SSRF vulnerability. This vulnerability is fixed in…