From d7312d7429ecd6fa67a41bae35f8b2bab1abe482 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 11:35:17 +0300
Subject: [PATCH] chore: update NVD/GHSA advisories - 1 NVD new, 0 NVD updated
 (#257)

Automated update from NVD CVE and GHSA advisory feeds.
Keywords: openclaw, nanoclaw, hermes, picoclaw
Poll window: 2026-06-03T07:38:12Z to 2026-06-10T08:29:07.000Z

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
---
 advisories/feed.json                         | 45 +++++++++++++++++---
 advisories/feed.json.sig                     |  2 +-
 advisories/ghsa-without-cve.json             | 10 ++---
 advisories/ghsa-without-cve.json.sig         |  2 +-
 skills/clawsec-feed/advisories/feed.json     | 45 +++++++++++++++++---
 skills/clawsec-feed/advisories/feed.json.sig |  2 +-
 6 files changed, 88 insertions(+), 18 deletions(-)

diff --git a/advisories/feed.json b/advisories/feed.json
index c91ce0a..2aa9f68 100644
--- a/advisories/feed.json
+++ b/advisories/feed.json
@@ -1,8 +1,43 @@
 {
   "version": "0.0.3",
-  "updated": "2026-06-03T07:38:12Z",
+  "updated": "2026-06-10T08:30:16Z",
   "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
   "advisories": [
+    {
+      "id": "CVE-2026-11461",
+      "severity": "medium",
+      "type": "improper_authorization",
+      "nvd_category_id": "CWE-285",
+      "title": "A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function ...",
+      "description": "A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolve_session_by_title of the file hermes_state.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+      "affected": [
+        "hermes@*"
+      ],
+      "platforms": [
+        "hermes"
+      ],
+      "action": "Review and update affected components. See NVD for remediation details.",
+      "published": "2026-06-07T22:16:22.547",
+      "references": [
+        "https://gist.github.com/YLChen-007/7951b3dc39193fb675914cc5d8b672fa",
+        "https://gist.github.com/YLChen-007/c2d162e9c8d39584223683cdcba98607",
+        "https://vuldb.com/cve/CVE-2026-11461"
+      ],
+      "cvss_score": 6.3,
+      "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11461",
+      "exploitability_score": "medium",
+      "exploitability_rationale": "Medium CVSS score (6.3); network accessible",
+      "attack_vector_analysis": {
+        "is_network_accessible": true,
+        "requires_authentication": true,
+        "requires_user_interaction": false,
+        "complexity": "low"
+      },
+      "exploit_detection": {
+        "exploit_available": false,
+        "exploit_sources": []
+      }
+    },
     {
       "id": "CVE-2026-10548",
       "severity": "medium",
@@ -12216,8 +12251,8 @@
       "id": "GHSA-jf56-mccx-5f3f",
       "ghsa_id": "GHSA-jf56-mccx-5f3f",
       "cve_id": null,
-      "status": "active",
-      "stale": false,
+      "status": "stale",
+      "stale": true,
       "stale_after_days": 60,
       "severity": "high",
       "type": "github_security_advisory",
@@ -12260,8 +12295,8 @@
       "id": "GHSA-gfmx-pph7-g46x",
       "ghsa_id": "GHSA-gfmx-pph7-g46x",
       "cve_id": null,
-      "status": "active",
-      "stale": false,
+      "status": "stale",
+      "stale": true,
       "stale_after_days": 60,
       "severity": "high",
       "type": "github_security_advisory",
diff --git a/advisories/feed.json.sig b/advisories/feed.json.sig
index 2d89e27..22125cb 100644
--- a/advisories/feed.json.sig
+++ b/advisories/feed.json.sig
@@ -1 +1 @@
-v+PiWmjIkY6zdIyI9xJX0l0aTy0Azp1+LoZR6qaiDZJnXFuSBX4Sw/x5tMdTb0xSbqdDTJOZwwWI8coPVepzBw==
\ No newline at end of file
+agiAAFvzM1vNHxH2+bGtyeKqFScLWJHnNreBcPpTODUqD0xqFi0cnyP/ZaZX+Rsw1Y9uZ7pGdFdA93pD4lh2BQ==
\ No newline at end of file
diff --git a/advisories/ghsa-without-cve.json b/advisories/ghsa-without-cve.json
index fafbea7..2c73dc6 100644
--- a/advisories/ghsa-without-cve.json
+++ b/advisories/ghsa-without-cve.json
@@ -1,6 +1,6 @@
 {
   "version": "0.1.0",
-  "updated": "2026-06-03T07:38:13Z",
+  "updated": "2026-06-10T08:30:16Z",
   "description": "Provisional ClawSec advisory feed for public GitHub Security Advisories that do not yet have CVE identifiers.",
   "stale_after_days": 60,
   "semantics": {
@@ -2810,8 +2810,8 @@
       "id": "GHSA-jf56-mccx-5f3f",
       "ghsa_id": "GHSA-jf56-mccx-5f3f",
       "cve_id": null,
-      "status": "active",
-      "stale": false,
+      "status": "stale",
+      "stale": true,
       "stale_after_days": 60,
       "severity": "high",
       "type": "github_security_advisory",
@@ -2853,8 +2853,8 @@
       "id": "GHSA-gfmx-pph7-g46x",
       "ghsa_id": "GHSA-gfmx-pph7-g46x",
       "cve_id": null,
-      "status": "active",
-      "stale": false,
+      "status": "stale",
+      "stale": true,
       "stale_after_days": 60,
       "severity": "high",
       "type": "github_security_advisory",
diff --git a/advisories/ghsa-without-cve.json.sig b/advisories/ghsa-without-cve.json.sig
index 7ca086b..30f8b37 100644
--- a/advisories/ghsa-without-cve.json.sig
+++ b/advisories/ghsa-without-cve.json.sig
@@ -1 +1 @@
-SCkRaPMF6IYDwZuR7/JJXxpB7A7ebuMvLqK827uWX0yfEJr7l2gyLpxvHsEpWJDzE4gchxd5yqJx5qF/yqNwAg==
\ No newline at end of file
+q1EyZ75QcdG2X6FVDkUoAyBtQE3ONA+7k9cmNFmXFgOOuGRPOpSDFUtbSvy86HPqnii26DMoeFJ1hatWJ0lBCQ==
\ No newline at end of file
diff --git a/skills/clawsec-feed/advisories/feed.json b/skills/clawsec-feed/advisories/feed.json
index c91ce0a..2aa9f68 100644
--- a/skills/clawsec-feed/advisories/feed.json
+++ b/skills/clawsec-feed/advisories/feed.json
@@ -1,8 +1,43 @@
 {
   "version": "0.0.3",
-  "updated": "2026-06-03T07:38:12Z",
+  "updated": "2026-06-10T08:30:16Z",
   "description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
   "advisories": [
+    {
+      "id": "CVE-2026-11461",
+      "severity": "medium",
+      "type": "improper_authorization",
+      "nvd_category_id": "CWE-285",
+      "title": "A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function ...",
+      "description": "A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolve_session_by_title of the file hermes_state.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+      "affected": [
+        "hermes@*"
+      ],
+      "platforms": [
+        "hermes"
+      ],
+      "action": "Review and update affected components. See NVD for remediation details.",
+      "published": "2026-06-07T22:16:22.547",
+      "references": [
+        "https://gist.github.com/YLChen-007/7951b3dc39193fb675914cc5d8b672fa",
+        "https://gist.github.com/YLChen-007/c2d162e9c8d39584223683cdcba98607",
+        "https://vuldb.com/cve/CVE-2026-11461"
+      ],
+      "cvss_score": 6.3,
+      "nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11461",
+      "exploitability_score": "medium",
+      "exploitability_rationale": "Medium CVSS score (6.3); network accessible",
+      "attack_vector_analysis": {
+        "is_network_accessible": true,
+        "requires_authentication": true,
+        "requires_user_interaction": false,
+        "complexity": "low"
+      },
+      "exploit_detection": {
+        "exploit_available": false,
+        "exploit_sources": []
+      }
+    },
     {
       "id": "CVE-2026-10548",
       "severity": "medium",
@@ -12216,8 +12251,8 @@
       "id": "GHSA-jf56-mccx-5f3f",
       "ghsa_id": "GHSA-jf56-mccx-5f3f",
       "cve_id": null,
-      "status": "active",
-      "stale": false,
+      "status": "stale",
+      "stale": true,
       "stale_after_days": 60,
       "severity": "high",
       "type": "github_security_advisory",
@@ -12260,8 +12295,8 @@
       "id": "GHSA-gfmx-pph7-g46x",
       "ghsa_id": "GHSA-gfmx-pph7-g46x",
       "cve_id": null,
-      "status": "active",
-      "stale": false,
+      "status": "stale",
+      "stale": true,
       "stale_after_days": 60,
       "severity": "high",
       "type": "github_security_advisory",
diff --git a/skills/clawsec-feed/advisories/feed.json.sig b/skills/clawsec-feed/advisories/feed.json.sig
index 2d89e27..22125cb 100644
--- a/skills/clawsec-feed/advisories/feed.json.sig
+++ b/skills/clawsec-feed/advisories/feed.json.sig
@@ -1 +1 @@
-v+PiWmjIkY6zdIyI9xJX0l0aTy0Azp1+LoZR6qaiDZJnXFuSBX4Sw/x5tMdTb0xSbqdDTJOZwwWI8coPVepzBw==
\ No newline at end of file
+agiAAFvzM1vNHxH2+bGtyeKqFScLWJHnNreBcPpTODUqD0xqFi0cnyP/ZaZX+Rsw1Y9uZ7pGdFdA93pD4lh2BQ==
\ No newline at end of file