CVE-2026-32917

OpenClaw prior to 2026.3.13 is affected by a remote command injection vulnerability in the iMessage attachment staging flow. The issue arises because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, allowing arbi...

CVE-2026-32030

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the...

OpenClaw path traversal vulnerability (CNVD-2026-14850)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a path traversal vulnerability that stems from the function accepting an arbitrary absolute path when the iMessage remote attachment fetch function is enabled. An attacker could use this vulnerability ...

CVE-2026-32030 OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the...

OpenClaw 路径遍历漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a path traversal vulnerability that stems from the function accepting an arbitrary absolute path when the iMessage remote attachment fetch function is enabled. An attacker could use this vulnerability ...

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via the remote attachment staging process. An attacker can execute arbitrary commands on the configured remote host by supplying a crafted iMessage attachment filename...

GHSA-2MC2-G238-722J OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)

Summary Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: - SCP used StrictHostKeyChecking=accept-new in the remote attachment path. - channels.imessage.remoteHost was not validated as a strict SSH ho...

OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)

Summary Remote iMessage attachment fetches used SCP with trust-on-first-use host-key behavior and accepted unvalidated remote host tokens. Before the fix: - SCP used StrictHostKeyChecking=accept-new in the remote attachment path. - channels.imessage.remoteHost was not validated as a strict SSH ho...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via stageSandboxMedia when iMessage remote attachment fetching is enabled and the attacker can inject or tamper with attachment path metadata. An attacker can access...

EUVD-2018-16955

Malware in sbrugna...

EUVD-2025-12011

Malicious code in bioql PyPI...

CVE-2025-46530

Cross-Site Request Forgery CSRF vulnerability in HuangYe WuDeng Hacklog Remote Attachment hacklog-remote-attachment allows Stored XSS.This issue affects Hacklog Remote Attachment: from n/a through = 1.3.2...

WordPress Hacklog Remote Attachment plugin <= 1.3.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by johska in WordPress Plugin Hacklog Remote Attachment versions = 1.3.2...

CVE-2025-46530

Cross-Site Request Forgery CSRF vulnerability in HuangYe WuDeng Hacklog Remote Attachment hacklog-remote-attachment allows Stored XSS.This issue affects Hacklog Remote Attachment: from n/a through = 1.3.2...

CVE-2025-46530 WordPress Hacklog Remote Attachment plugin <= 1.3.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in HuangYe WuDeng Hacklog Remote Attachment hacklog-remote-attachment allows Stored XSS.This issue affects Hacklog Remote Attachment: from n/a through = 1.3.2...

CVE-2025-46530

CVE-2025-46530 affects Hacklog Remote Attachment (WordPress plugin)

CVE-2025-46530 WordPress Hacklog Remote Attachment plugin <= 1.3.2 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in HuangYe WuDeng Hacklog Remote Attachment hacklog-remote-attachment allows Stored XSS.This issue affects Hacklog Remote Attachment: from n/a through = 1.3.2...

WordPress plugin Hacklog Remote Attachment 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...

SUSE CVE-2024-29902

Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as ...

CVE-2021-39195

Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been...