CVE-2026-27008 OpenClaw hardened the skill download target directory validation

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only skills.install flow, this could write files outside t...

CVE-2026-27008 OpenClaw hardened the skill download target directory validation

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only skills.install flow, this could write files outside t...

CVE-2026-27002

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options bind mounts, host networking, unconfined profiles to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 block...

CVE-2026-27002

OpenClaw CVE-2026-27002 describes a configuration injection issue in the Docker tool sandbox that could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. Affected software: OpenClaw prior to version 202...

CVE-2026-27002 OpenClaw: Docker container escape via unvalidated bind mount config injection

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options bind mounts, host networking, unconfined profiles to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 block...

CVE-2026-27002 OpenClaw: Docker container escape via unvalidated bind mount config injection

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options bind mounts, host networking, unconfined profiles to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 block...

Cross-site Scripting (XSS)

Overview org.webjars.npm:pannellum is a lightweight, free, and open source panorama viewer for the web. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the attributes configuration property in hot spots. An attacker can execute arbitrary JavaScript code by supplyi...

CVE-2026-25755

A flaw was found in jsPDF. The addJS method accepts user input without proper sanitization, allowing an attacker to inject arbitrary PDF objects into the document. A specially crafted payload that escapes the JavaScript string delimiter can execute malicious actions or alter the document structur...

jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method

Impact User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user...

GHSA-9VJF-QC39-JPRP jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method

Impact User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user...

CVE-2026-25755

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious...

CVE-2026-25755

jsPDF prior to 4.2.0 is vulnerable to PDF Object Injection via the addJS method when user-controlled input is passed. An attacker could inject arbitrary PDF objects by crafting a payload that escapes the JavaScript string delimiter, potentially affecting document structure or actions when opened ...

CVE-2026-25755 jsPDF has PDF Object Injection via Unsanitized Input in addJS Method

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious...

CVE-2026-25755 jsPDF has PDF Object Injection via Unsanitized Input in addJS Method

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious...

CLSA-2026-1771512005 glib2: Fix of 2 CVEs

CVE-2025-14087: fix heap corruption in GLib GVariant parser by preventing integer overflows and unsafe buffer size calculations - CVE-2025-14512: fix integer overflow in escapebytestring for byte strings with many invalid characters...

PT-2026-20850

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.0 Description jsPDF is a JavaScript library used to generate PDF documents. A flaw exists where user-controlled input to the addJS method allows an attacker to inject arbitrary PDF objects into generated documents. ...

Amazon Linux 2 : firefox, --advisory ALAS2FIREFOX-2026-050 (ALASFIREFOX-2026-050)

The version of firefox installed on the remote host is prior to 140.7.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2026-050 advisory. Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox 146. CVE-2025-14327 Mitigation...

Amazon Linux 2023 : firefox (ALAS2023-2026-1429)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1429 advisory. Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox 146. CVE-2025-14327 Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox 147...

PT-2026-20906

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only skills.install flow, this could write files outside t...

GHSA-H7F7-89MM-PQH6 OpenClaw hardened the skill download target directory validation

Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.14 - Fixed in: planned release 2026.2.15 Impact A bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In th...