Lucene search
K

28 matches found

RedhatCVE
RedhatCVE
added 2026/02/21 1:30 a.m.7 views

CVE-2026-27009

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15...

5.8CVSS5.5AI score0.00228EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/02/20 12:0 a.m.11 views

OpenClaw 跨站脚本漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. A cross-site scripting vulnerability exists in OpenClaw. The vulnerability stems from improper escaping of assistant identity information when rendered by Control UI and can be exploited by an attacker to compromise...

5.8CVSS5.6AI score0.00228EPSS
Exploits1References4
CVE
CVE
added 2026/02/19 11:25 p.m.13 views

CVE-2026-27009

OpenClaw (npm package openclaw) contains a stored XSS in the Control UI that occurs when rendering the assistant identity (name/avatar) into an inline script tag without proper escaping. The issue affects versions prior to 2026.2.15 (

5.8CVSS5.5AI score0.00228EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/02/18 10:44 p.m.3 views

Cross-site Scripting (XSS)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of assistant identity values into an inline tag without proper escaping. An attacker can execute arbitrary JavaScript in the Control UI ...

6.8CVSS5.6AI score0.00228EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/02/18 10:44 p.m.6 views

OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

Summary Stored XSS in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Affected Packages ...

5.8CVSS5.8AI score0.00228EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/02/18 10:44 p.m.11 views

GHSA-37GC-85XM-2WW6 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

Summary Stored XSS in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Affected Packages ...

5.8CVSS5.8AI score0.00228EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.11 views

PT-2026-20792

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15 Description A stored Cross-Site Scripting XSS issue exists in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without proper escaping. A crafted value containing cou...

5.8CVSS5.8AI score0.00228EPSS
Exploits1References13
OSV
OSV
added 2026/02/02 11:41 p.m.2 views

GHSA-G8P2-7WF7-98MQ OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

Summary The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload. Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker ca...

8.8CVSS6.2AI score0.08016EPSS
Exploits5References5
Rows per page
Query Builder