GHSA-XPR6-2HGM-4WWP Duplicate Advisory: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r39h-4c2p-3jxp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver tha...

CVE-2026-45004

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious...

CVE-2026-45004 OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious...

CVE-2026-45004

OpenClaw vulnerable to arbitrary code execution prior to version 2026.4.23. The flaw is in the bundled plugin setup resolver, which loads setup-api.js from process.cwd() during provider setup metadata resolution. An attacker can place a malicious extensions//setup-api.js in a repository and cause...

PT-2026-39693

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious...

GHSA-R39H-4C2P-3JXP OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

Summary OpenClaw's bundled plugin setup resolver could fall back to process.cwd while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing extensions//setup-api.js, OpenClaw could load and execute that JavaScript during ordinary...

Arbitrary Code Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Arbitrary Code Injection in the setup-api.js loading process. An attacker can execute arbitrary code by placing a malicious setup-api.js file in the extensions// directory of a repository...

EUVD-2025-27604

Malicious code in bioql PyPI...

CVE-2025-10210 yanyutao0402 ChanCMS Api.js search sql injection

A weakness has been identified in yanyutao0402 ChanCMS up to 3.3.0. Impacted is the function Search of the file app/modules/api/service/Api.js. Executing manipulation of the argument key can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the...

Access Restriction Bypass

kubeview is vulnerable to access restriction bypass. The vulnerability exists in default function of api.js, because api/scrape/kube-system does not require authentication which allows an attacker to bypass the restrictions and retrieve certificate files that can be used to authenticate as...

MAL-2022-609 Malicious code in @squareup/data-api.js-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 351c78770a4888af009e5d2270940bb942890cf8ceb18057cf2f33f709ba191a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-2337 Malicious code in data-api.js-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 68057aab80a4b5d9446687fc971935efb298ebbb4631efbd5780649ef2f35ec6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2012-0958

CVE-2012-0958 affects the unity-firefox-extension (Firefox extension) version 2.4.1. The issue in content/unity-api.js exposes the toDataURL function, allowing a crafted page to bypass the Same Origin Policy and potentially obtain sensitive information from the user. The vulnerability is document...