28 matches found
CVE-2026-27009
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15...
OpenClaw 跨站脚本漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. A cross-site scripting vulnerability exists in OpenClaw. The vulnerability stems from improper escaping of assistant identity information when rendered by Control UI and can be exploited by an attacker to compromise...
CVE-2026-27009
OpenClaw (npm package openclaw) contains a stored XSS in the Control UI that occurs when rendering the assistant identity (name/avatar) into an inline script tag without proper escaping. The issue affects versions prior to 2026.2.15 (
Cross-site Scripting (XSS)
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of assistant identity values into an inline tag without proper escaping. An attacker can execute arbitrary JavaScript in the Control UI ...
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Summary Stored XSS in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Affected Packages ...
GHSA-37GC-85XM-2WW6 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Summary Stored XSS in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without script-context-safe escaping. A crafted value containing could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Affected Packages ...
PT-2026-20792
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15 Description A stored Cross-Site Scripting XSS issue exists in the OpenClaw Control UI when rendering assistant identity name/avatar into an inline tag without proper escaping. A crafted value containing cou...
GHSA-G8P2-7WF7-98MQ OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
Summary The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload. Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker ca...