CVE-2026-31994

OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation...

EUVD-2026-14588

OpenClaw before 2026.2.19 contains a local command injection vulnerability in Windows scheduled task script generation that allows attackers to execute arbitrary commands by injecting cmd metacharacters into unsafe gateway.cmd arguments. Attackers with control over service script generation value...

CVE-2026-32907

OpenClaw is affected by CVE-2026-32907 in versions prior to 2026.2.19. A local command-injection flaw exists in Windows scheduled task script generation, allowing an attacker who can influence service script generation values to inject unescaped cmd metacharacters into gateway.cmd arguments and a...

PT-2026-27239

OpenClaw before 2026.2.19 contains a local command injection vulnerability in Windows scheduled task script generation that allows attackers to execute arbitrary commands by injecting cmd metacharacters into unsafe gateway.cmd arguments. Attackers with control over service script generation value...

GHSA-5GQG-MQH5-2V39 Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mqr9-vqhq-3jxw. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script...

Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mqr9-vqhq-3jxw. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script...

CVE-2026-31994

OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation...

Improper Encoding or Escaping of Output

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the script generation process in Windows deployments due to improper handling of command-line arguments in gateway.cmd. An attacker can execute...

CVE-2026-25593

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerabilit...

EUVD-2026-5577

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerabilit...

CVE-2026-25593

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerabilit...

Exposed Dangerous Method or Function

Overview Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the sse or streaming transport modes. An attacker can gain unauthorized access to internal resources by tricking a victim into visiting a malicious website or serving a malicious advertisement...

CVE-2024-21879 URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway formerly known as Envoy allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and 8.2.4225...

CVE-2024-33008 Memory Corruption vulnerability in SAP Replication Server

SAP Replication Server allows an attacker to use gateway for executing some commands to RSSD. This could result in crashing the Replication Server due to memory corruption with high impact on Availability of the system...

NS-DV7500企业级高性能VPN安全网关命令执行漏洞

No description provided by source...

Symantec Web Gateway pbcontrol.php Command Injection

Added: 08/24/2012 CVE: CVE-2012-2953 BID: 54426 OSVDB: 84120 Background Symantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. Problem Symantec Web Gateway 5.0.x.x before 5.0.3.18 is vulnerable to command injection due to...

Symantec Web Gateway pbcontrol.php Command Injection

Added: 08/24/2012 CVE: CVE-2012-2953 BID: 54426 OSVDB: 84120 Background Symantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. Problem Symantec Web Gateway 5.0.x.x before 5.0.3.18 is vulnerable to command injection due to...