21 matches found
CVE-2026-45000
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed durin...
PT-2026-39689
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed durin...
Server-side Request Forgery (SSRF)
Overview openclaw is a ๐ฆ OpenClaw โ Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl...
GHSA-4X48-CGF9-Q33F Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
Summary The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses...
OpenClaw code issue vulnerability (CNVD-2026-13388)
OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a code issue vulnerability that stems from a Cron webhook delivery using fetch direct call, which can be exploited by an attacker to cause the webhook target to access private or internal endpoints...
CVE-2026-27488
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...
CVE-2026-27488
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...
CVE-2026-27488
OpenClaw contains a SSRF-related issue in Cron webhook delivery. In versions up to 2026.2.17, the fetch() call in src/gateway/server-cron.ts allowed webhook targets to reach private/metadata/internal endpoints without SSRF policy checks. The issue was fixed in version 2026.2.19; upgrading to 2026...
CVE-2026-27488
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...
OpenClaw ไปฃ็ ้ฎ้ขๆผๆด
OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a code issue vulnerability that stems from a Cron webhook delivery using fetch direct call, which can be exploited by an attacker to cause the webhook target to access private or internal endpoints...
OpenClaw hardened cron webhook delivery against SSRF
Affected Packages / Versions - openclaw npm package versions = 2026.2.17. Vulnerability Cron webhook delivery in src/gateway/server-cron.ts used fetch directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks. Fix Commits - 99db4d13e - 35851cdaf Thank...
GHSA-W45G-5746-X9FP OpenClaw hardened cron webhook delivery against SSRF
Affected Packages / Versions - openclaw npm package versions = 2026.2.17. Vulnerability Cron webhook delivery in src/gateway/server-cron.ts used fetch directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks. Fix Commits - 99db4d13e - 35851cdaf Thank...
PT-2026-21339
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19 Description The software is a personal AI assistant. A flaw exists in the Cron webhook delivery within the src/gateway/server-cron.ts component, where the use of fetch directly allows webhook targets to...
CVE-2025-14627 WP Import โ Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass
The WP Import โ Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the uploadfunction method...
Linux kernel ๅฎๅ จๆผๆด
Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from cdns3gadgetepdequeue and cdns3gadgetepenable not handling private endpoints correctly, which could lead to...
CVE-2023-28346
An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact wit...
Malicious code in synapse-managed-private-endpoints (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e1c17bea232b736c62da3d64b16c7726920d31083e764ab22b60f313d0e757c3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...