Lucene search
K

6791 matches found

NVD
NVD
added 4 days ago7 views

CVE-2026-15193

A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only ...

5.3CVSS0.00683EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-15193

A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only ...

5.3CVSS5.5AI score0.00683EPSS
Exploits0References7Affected Software1
CVE
CVE
added 4 days ago11 views

CVE-2026-15193

CVE-2026-15193 affects AidanPark openclaw-android up to 0.4.0. The issue resides in Android WebView Bridge's JsBridge.kt (unknown function) and enables OS command injection via local access. Publicly disclosed exploit details exist, and a fix is awaiting acceptance in a pull request. Remediation ...

5.3CVSS5.7AI score0.00683EPSS
Exploits0References7
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-42626

A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only ...

5.3CVSS5.7AI score0.00683EPSS
Exploits0References7
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-59261 OpenClaw < 2026.5.28 - Credential Override via Workspace Dotenv Files

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS0.00192EPSS
Exploits0References2
CVE
CVE
added 5 days ago9 views

CVE-2026-59261

OpenClaw vulnerable before version 2026.5.28 due to a credential exposure where workspace dotenv files can override provider credentials. The issue allows attackers with lower-trust access to configured input paths to exfiltrate sensitive data and credentials meant for trusted boundaries. There i...

8.4CVSS6AI score0.00192EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-42322

OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries...

8.4CVSS6AI score0.00192EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-56484

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.28 Description A credential exposure issue exists where workspace dotenv files can override provider credentials. This allows attackers with lower-trust access to configured input paths to expose sensitive dat...

8.4CVSS6.1AI score0.00192EPSS
Exploits0References8
OSV
OSV
added 2026/07/02 5:23 p.m.8 views

GHSA-P73F-W79W-JQR5 OpenClaw: Native command authorization could skip owner-command enforcement

Summary Native command authorization could skip owner-command enforcement. In affected versions, a sender able to trigger native command handling could authorize a native command without enforcing the configured owner-only command policy. This advisory is scoped to the named feature and...

7.2CVSS6AI score0.00267EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 5:22 p.m.12 views

GHSA-J472-GF56-X589 OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks

Summary PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser. This advisory is scoped to the named feature and configuration. It does not...

8.7CVSS6AI score0.00451EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 5:22 p.m.13 views

GHSA-77Q5-RR5V-X43Q OpenClaw: Trusted retry endpoint checks could match hostname prefixes

Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not...

7.1CVSS6AI score0.00265EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 5:18 p.m.6 views

GHSA-W5WW-7CHG-MXCQ OpenClaw: Telegram interactive callbacks could skip commands.allowFrom

Summary Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying commands.allowFrom. This advisory is scoped to the named feature and configuration. It do...

8.8CVSS6AI score0.00312EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 5:13 p.m.5 views

GHSA-7HXM-F538-3XP6 OpenClaw: Matrix allowFrom could bind to mutable display names

Summary Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 5:13 p.m.11 views

EUVD-2026-36317

OpenClaw: Matrix allowFrom could bind to mutable display names...

8.8CVSS5.8AI score0.00309EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/02 5:12 p.m.11 views

EUVD-2026-36322

OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance...

8.6CVSS5.8AI score0.00342EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/02 5:11 p.m.12 views

EUVD-2026-36312

OpenClaw: Combined POSIX shell options could confuse exec revalidation...

8.8CVSS5.8AI score0.00419EPSS
Exploits0References3
OSV
OSV
added 2026/07/02 5:11 p.m.3 views

GHSA-VXX3-6HC9-7CC3 OpenClaw: Combined POSIX shell options could confuse exec revalidation

Summary Combined POSIX shell options could confuse exec revalidation. In affected versions, a command request using combined shell flags could parse approval-time and execution-time shell options differently. This advisory is scoped to the named feature and configuration. It does not change...

8.8CVSS6AI score0.00419EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 5:11 p.m.14 views

EUVD-2026-36324

OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers...

6.9CVSS5.8AI score0.00096EPSS
Exploits0References3
OSV
OSV
added 2026/07/02 5:11 p.m.6 views

GHSA-275C-XPVC-JGFW OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload

Summary Slack and Zalo webhook secrets could remain active after secrets.reload. In affected versions, a caller with an old webhook secret during the stale-secret window could keep accepting the previous secret after secrets.reload. This advisory is scoped to the named feature and configuration. ...

6.3CVSS6AI score0.00207EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 5:6 p.m.8 views

GHSA-6C4R-G249-WV3C OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts

Summary Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt. This advisory is scoped to the named feature and configuration. It does...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References2
Rows per page
Query Builder