Lucene search
K

4 matches found

CVE
CVE
added 2026/02/21 9:27 a.m.35 views

CVE-2026-27485

Summary (concrete details): CVE-2026-27485 affects OpenClaw’s npm package, specifically the packaging helper script under skills/skill-creator/scripts/package_skill.py. The vulnerability arises when the script, run on a crafted local skill directory, follows symlinks to files outside the skill ro...

4.6CVSS5.7AI score0.00221EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/02/21 9:27 a.m.24 views

CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/packageskill.py a local helper script used when authors package skills previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory...

4.6CVSS0.00221EPSS
Exploits0References5
OSV
OSV
added 2026/02/21 9:27 a.m.6 views

CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/packageskill.py a local helper script used when authors package skills previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory...

4.6CVSS5.7AI score0.00221EPSS
Exploits0References7
CVE
CVE
added 2026/02/19 11:25 p.m.13 views

CVE-2026-27009

OpenClaw (npm package openclaw) contains a stored XSS in the Control UI that occurs when rendering the assistant identity (name/avatar) into an inline script tag without proper escaping. The issue affects versions prior to 2026.2.15 (

5.8CVSS5.5AI score0.00228EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder