CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs...

CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs...

CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs...

CVE-2026-26329

OpenClaw contains a path traversal in the browser tool upload action that allows an authenticated user to read arbitrary files on the Gateway host by supplying absolute or traversal paths. This existed prior to version 2026.2.14; the server passed user-supplied paths to Playwright's setInputFiles...

OpenClaw has a path traversal in browser upload allows local file read

Summary Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs without restricting them to a safe root. Severity remains Hi...

GHSA-CV7M-C9JX-VG7Q OpenClaw has a path traversal in browser upload allows local file read

Summary Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles APIs without restricting them to a safe root. Severity remains Hi...

CVE-2024-35203

CVE-2024-35203 affects Mahara before 22.10.6, 23.04.6, and 24.04.1, where a file uploaded via the Mahara filebrowser can carry a name containing JavaScript and trigger cross-site scripting (XSS). Root cause: improper sanitization of uploaded filenames. Impact: XSS possibility via file name in the...

Exploit for Improper Input Validation in Imagemagick

Container Escape Exploit This is a container escape exploit t...

BigTree CMS cross-site scripting vulnerability (CNVD-2018-21319)

Fastspot BigTree is the United States Fastspot company based on PHP and MySQL open source content management system CMS. A cross-site scripting vulnerability exists in /admin/ajax/file-browser/upload/ in Fastspot BigTree version 4.2.23. A remote attacker can exploit this vulnerability to inject...

Easy File Sharing Web Server 7.2 - Authentication Bypass

Easy File Sharing Web Server 7.2 - Authentication Bypass Exploit Title: EFS Web Server 7.2 Authentication Bypass Date: 11-06-2017 Software Link: http://www.sharing-file.com/efssetup.exe Software Version : 7.2 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website:...