Lucene search
K

22 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/11 4:46 p.m.7 views

CVE-2026-45000

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed durin...

5CVSS5.8AI score0.00246EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.14 views

PT-2026-39689

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed durin...

5CVSS5.8AI score0.00246EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/25 11:49 p.m.17 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl...

5CVSS5.5AI score0.00246EPSS
Exploits0References2
OSV
OSV
added 2026/04/14 11:22 p.m.13 views

GHSA-4X48-CGF9-Q33F Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection

Summary The conditions filter webhook at libs/application-generic/src/usecases/conditions-filter/conditions-filter.usecase.ts line 261 sends POST requests to user-configured URLs using raw axios.post with no SSRF validation. The HTTP Request workflow step in the same codebase correctly uses...

6AI score
Exploits0References3
CNVD
CNVD
added 2026/03/02 12:0 a.m.4 views

OpenClaw code issue vulnerability (CNVD-2026-13388)

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a code issue vulnerability that stems from a Cron webhook delivery using fetch direct call, which can be exploited by an attacker to cause the webhook target to access private or internal endpoints...

7.3CVSS5.8AI score0.00327EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/22 1:25 p.m.5 views

CVE-2026-27488

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

7.3CVSS5.4AI score0.00327EPSS
Exploits0References1
NVD
NVD
added 2026/02/21 10:16 a.m.10 views

CVE-2026-27488

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

7.3CVSS0.00327EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/21 9:49 a.m.3 views

CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

6.9CVSS5.3AI score0.00327EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/21 9:49 a.m.6 views

CVE-2026-27488

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

6.9CVSS5.5AI score0.00327EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/02/21 9:49 a.m.22 views

CVE-2026-27488

OpenClaw contains a SSRF-related issue in Cron webhook delivery. In versions up to 2026.2.17, the fetch() call in src/gateway/server-cron.ts allowed webhook targets to reach private/metadata/internal endpoints without SSRF policy checks. The issue was fixed in version 2026.2.19; upgrading to 2026...

7.3CVSS5.4AI score0.00327EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/21 9:49 a.m.8 views

CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

6.9CVSS5.5AI score0.00327EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/21 9:49 a.m.27 views

CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

6.9CVSS0.00327EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/02/21 12:0 a.m.11 views

OpenClaw 代码问题漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a code issue vulnerability that stems from a Cron webhook delivery using fetch direct call, which can be exploited by an attacker to cause the webhook target to access private or internal endpoints...

7.3CVSS5.8AI score0.00327EPSS
Exploits0References3
OSV
OSV
added 2026/02/20 9:13 p.m.9 views

GHSA-W45G-5746-X9FP OpenClaw hardened cron webhook delivery against SSRF

Affected Packages / Versions - openclaw npm package versions = 2026.2.17. Vulnerability Cron webhook delivery in src/gateway/server-cron.ts used fetch directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks. Fix Commits - 99db4d13e - 35851cdaf Thank...

6.9CVSS5.5AI score0.00327EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/02/20 9:13 p.m.16 views

OpenClaw hardened cron webhook delivery against SSRF

Affected Packages / Versions - openclaw npm package versions = 2026.2.17. Vulnerability Cron webhook delivery in src/gateway/server-cron.ts used fetch directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks. Fix Commits - 99db4d13e - 35851cdaf Thank...

7.3CVSS5.4AI score0.00327EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.5 views

PT-2026-21339

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19 Description The software is a personal AI assistant. A flaw exists in the Cron webhook delivery within the src/gateway/server-cron.ts component, where the use of fetch directly allows webhook targets to...

6.9CVSS5.4AI score0.00327EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/01/01 4:19 p.m.18 views

CVE-2025-14627 WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the uploadfunction method...

6.4CVSS0.00237EPSS
Exploits0References4
CNNVD
CNNVD
added 2025/06/18 12:0 a.m.5 views

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from cdns3gadgetepdequeue and cdns3gadgetepenable not handling private endpoints correctly, which could lead to...

5.5CVSS6.3AI score0.00159EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2025/05/23 6:1 a.m.6 views

CVE-2023-28346

An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact wit...

7.3CVSS6.9AI score0.00884EPSS
Exploits1References1
Kubernetes Security Advisories
Kubernetes Security Advisories
added 2022/11/08 9:33 p.m.5 views

Node address isn't always verified when proxying

CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them...

8.8CVSS6.7AI score0.01618EPSS
Exploits0Affected Software1
Rows per page
Query Builder