7 matches found
EUVD-2026-13330
OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including...
GHSA-44C9-4RG5-QJGQ Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g99v-8hwm-g76g. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in websearch citation redirec...
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q399-23r3-hfx4. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv0 tokens in system.run...
CVE-2026-31999 OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback
OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution...
CVE-2026-28461 OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn
OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different que...
Misskey 数据伪造问题漏洞
Misskey is an open-source, permanently free social media platform developed by Misskey. Versions of Misskey prior to 2026.3.1 had a data manipulation vulnerability, which stemmed from allowing bypasses of HTTP signature verification...
PT-2026-24121
Name of the Vulnerable Software and Affected Versions Misskey versions prior to 2026.3.1 Description Misskey is a federated social media platform. All servers prior to version 2026.3.1 are susceptible to an issue that allows bypassing HTTP signature verification. This affects all servers, even...