CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/11 12:0 a.m.•8 views

PT-2026-39689

5CVSS5.8AI score0.0003EPSS

Exploits0References5

NVD•added 2026/05/06 8:16 p.m.•2 views

CVE-2026-43577

OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions...

7.1CVSS0.00033EPSS

CNNVD•added 2026/05/06 12:0 a.m.•4 views

OpenClaw 输入验证错误漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.5 had a vulnerability related to input validation errors. This vulnerability stemmed from server-side request forgery in the CDP/json/version WebSocket endpoint, which might all...

7.7CVSS5.8AI score0.00033EPSS

Exploits0References1

ATTACKERKB•added 2026/04/27 11:24 p.m.•0 views

CVE-2026-41372

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose...

CVE•added 2026/04/27 11:24 p.m.•3 views

CVE-2026-41372

Technical details such as affected products, versions, root cause, and remediation are not publicly available in the provided documents. Monitor for updates from NVD, CVE lists, and vendor advisories.

Exploits0References3Affected Software1

Vulnrichment•added 2026/04/27 11:24 p.m.•1 views

CVE-2026-41372 OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery

Positive Technologies•added 2026/04/27 12:0 a.m.•0 views

PT-2026-35560

OSV•added 2026/04/25 11:49 p.m.•1 views

GHSA-J4C5-89F5-F3PM OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Browser profile creation normalized cdpUrl values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly...

2.3CVSS5.8AI score

Github Security Blog•added 2026/04/17 10:18 p.m.•5 views

OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets

Summary CDP /json/version WebSocket URL could pivot to untrusted second-hop targets. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.5 Impact A browser profile could trust a CDP /json/version response whose webSocketDebuggerUrl pointed at a differen...

7.7CVSS5.7AI score0.00033EPSS

Exploits0References6Affected Software1

Snyk•added 2026/04/07 6:15 p.m.•2 views

Improper Input Validation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Input Validation via the CDP discovery process. An attacker can redirect authenticated browser control to a localhost-resolving endpoint by crafting a discovery response with a...

6.9CVSS5.8AI score0.00042EPSS

Exploits0References2

Rockylinux•added 2026/04/07 12:1 a.m.•1 views

lldpd bug fix and enhancement update

An update is available for lldpd. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list LLDP is an industry standard protocol designed to supplant proprietary Link-Lay...

5.9AI score

Exploits0

NVD•added 2026/03/18 2:16 a.m.•2 views

CVE-2026-22174

OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the...

6.8CVSS0.00028EPSS

NVD•added 2026/03/05 10:16 p.m.•3 views

CVE-2026-28458

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay extension must be installed and enabled /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit...

8.1CVSS0.00068EPSS

ATTACKERKB•added 2026/03/05 9:59 p.m.•5 views

CVE-2026-28458

7.5CVSS6AI score0.00068EPSS

Exploits0References4Affected Software1

Github Security Blog•added 2026/03/03 9:42 p.m.•2 views

OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint

Summary When the optional Chrome extension relay is enabled, /extension accepted unauthenticated WebSocket upgrades while /json/ and /cdp required auth. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.17 - Latest published npm version at triage time: 2026.2.17 Impact Thi...

6AI score

Exploits0References3Affected Software1

OSV•added 2026/03/03 9:42 p.m.•2 views

GHSA-PFV7-RR5M-QMV6 OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint

5.1CVSS6AI score