8 matches found
OpenClaw 路径遍历漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.14 had a path traversal vulnerability. This vulnerability stemmed from issues with path traversal in the applypatch function, which could allow attackers to write to or delete files outside of the...
CVE-2026-28452
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource...
CVE-2026-28393
OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings.transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration...
CVE-2026-29611 OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling
OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension must be installed and enabled media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath...
CVE-2026-28457
OpenClaw is affected by a path traversal vulnerability in sandbox skill mirroring that uses the frontmatter name when copying skills into the sandbox workspace. Affected versions: OpenClaw before 2026.2.14. Attackers can craft a skill package with traversal sequences (e.g., ../ or absolute paths)...
CVE-2026-28456 OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import, allowing code execution. An attacker with gateway configuration modification access can load and...
EUVD-2026-9902
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundarie...
GHSA-P25H-9Q54-FFVW OpenClaw has Zip Slip path traversal in tar archive extraction
Summary OpenClaw versions before 2026.2.14 did not sufficiently validate TAR archive entry paths during extraction. A crafted archive could use path traversal sequences for example ../../... to write files outside the intended destination directory Zip Slip. Affected Packages / Versions - Package...