File-Disclosure

A vulnerability in the `apm-cli` tool allows a malicious APM package to include symlinks that, when installed, can lead to file-content disclosure, by dereferencing symlinks under `.apm/prompts/` and `.apm/agents/` during `apm install`, and copying host-local file contents into the project tree.

OpenClaw versions prior to 2026.4.10 are vulnerable to a sender policy bypass, allowing attackers with restricted read access to disclose local files by triggering host-media attachment loading, bypassing authorization boundaries.

Across DR-810 routers are vulnerable to unauthenticated file disclosure, allowing remote attackers to download the rom-0 backup file containing sensitive information, such as router passwords and configuration data, via a simple GET request to the rom-0 endpoint.