CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/06/16 6:5 p.m.•18 views

CVE-2026-53854

OpenClaw is affected by a privilege escalation in versions before 2026.4.25. The issue arises from wildcard inheritance of ownerAllowFrom state across channel boundaries in internal and webchat command authentication, allowing a sender to execute owner-like commands outside the intended channel s...

6.5CVSS5.6AI score0.00245EPSS

Exploits0References2Affected Software1

EUVD•added 2026/05/11 6:31 p.m.•27 views

EUVD-2026-29141

OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file URLs...

NVD•added 2026/05/11 6:16 p.m.•16 views

Exploits0References4

CVE-2026-44996

6.3CVSS0.00305EPSS

Vulnrichment•added 2026/05/11 4:46 p.m.•7 views

CVE-2026-44996 OpenClaw < 2026.4.15 - Arbitrary Local File Read via Webchat Audio Embedding

ATTACKERKB•added 2026/05/11 4:46 p.m.•7 views

CVE-2026-44996

Cvelist•added 2026/05/11 4:46 p.m.•39 views

Exploits0References4

CVE-2026-44996 OpenClaw < 2026.4.15 - Arbitrary Local File Read via Webchat Audio Embedding

6.3CVSS0.00305EPSS

CVE•added 2026/05/11 4:46 p.m.•16 views

CVE-2026-44996

OpenClaw vulnerability CVE-2026-44996 affects versions before 2026.4.15. The webchat audio embedding helper fails local media root containment checks, allowing an attacker to influence ReplyPayload.mediaUrl to resolve absolute local paths or file URLs, read audio-like files, and embed them base64...

Exploits0References3Affected Software1

CNNVD•added 2026/05/11 12:0 a.m.•8 views

OpenClaw 路径遍历漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.15 contained a path traversal vulnerability. This vulnerability stemmed from the webchat audio embedding assistant’s failure to apply a check for the inclusion of the local medi...

6.3CVSS5.8AI score0.00305EPSS

Positive Technologies•added 2026/05/11 12:0 a.m.•11 views

PT-2026-39685

Snyk•added 2026/04/29 9:34 p.m.•4 views

Exploits0References4

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the webchat audio embedding process. An attacker can access and exfiltrate arbitrary local audio-like files readable by the gateway process by influencing the...

6.3CVSS6.3AI score0.00305EPSS

OSV•added 2026/04/29 9:34 p.m.•2 views

GHSA-GFG9-5357-HV4C OpenClaw: Webchat audio embedding could read local files without local-root containment

Impact OpenClaw deployments before 2026.4.15 could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced ReplyPayload.mediaUrl, the webchat audio...

6CVSS5.8AI score

Github Security Blog•added 2026/04/29 9:34 p.m.•6 views

OpenClaw: Webchat audio embedding could read local files without local-root containment

5.4AI score

Exploits0References3Affected Software1

OSV•added 2026/04/17 10:33 p.m.•1 views

GHSA-MR34-9552-QR95 OpenClaw: Webchat media embedding enforces local-root containment for tool-result files

Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows...

6.3CVSS5.7AI score0.00264EPSS

Exploits0References10

Github Security Blog•added 2026/04/17 10:33 p.m.•5 views

OpenClaw: Webchat media embedding enforces local-root containment for tool-result files

6.3CVSS5.7AI score0.00264EPSS

Exploits0References10Affected Software1

RedhatCVE•added 2026/03/26 3:18 p.m.•7 views

CVE-2026-30048

A stored cross-site scripting XSS vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when t...

5.4CVSS5.8AI score0.00247EPSS

EUVD•added 2026/03/26 12:30 p.m.•2 views

EUVD-2026-16150

Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'...

6.9CVSS5.8AI score0.0026EPSS

ATTACKERKB•added 2026/03/26 9:12 a.m.•1 views

CVE-2026-4263

Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'...

6.9CVSS5.8AI score0.0026EPSS

CVE•added 2026/03/26 9:12 a.m.•8 views

CVE-2026-4263

CVE-2026-4263 concerns an incorrect authorization flaw in the HiJiffy Chatbot. The vulnerability allows an attacker to download private messages from other users by abusing the parameter 'visitor' in the API endpoint /api/v1/webchat/message. The CVSS details indicate a network-based, low-complexi...

6.9CVSS5.8AI score0.0026EPSS

Cvelist•added 2026/03/26 9:12 a.m.•26 views

CVE-2026-4263 Incorrect authorization in HiJiffy Chatbot

Vulnerability of incorrect authorization in HiJiffy Chatbot allows an attacker to download private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'...

6.9CVSS0.0026EPSS