10 matches found
EUVD-2026-28197
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
GHSA-QVMW-H675-H7QG Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2hh7-c75g-qj2r. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto functio...
Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2hh7-c75g-qj2r. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto functio...
CVE-2026-44116
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
CVE-2026-44116 OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
CVE-2026-44116
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...
CVE-2026-44116
OpenClaw prior to version 2026.4.22 is affected by a server-side request forgery in the Zalo plugin’s sendPhoto function, failing to validate outbound photo URLs against the SSRF guard. An attacker can bypass SSRF protection by supplying malicious photo URLs to the Zalo Bot API, enabling unauthor...
PT-2026-38249
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.22 Description A server-side request forgery SSRF issue exists in the Zalo plugin. The sendPhoto function fails to validate outbound photo URLs through the SSRF guard. This allows attackers to bypass protectio...
Server-side Request Forgery (SSRF)
Overview @openclaw/zalo is an OpenClaw Zalo channel plugin Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the sendPhoto process. An attacker can cause unauthorized requests to internal or external resources by supplying a crafted outbound photo URL th...
Server-side Request Forgery (SSRF)
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the sendPhoto process. An attacker can cause unauthorized requests to internal or external resources by supplying a crafted outbound photo URL tha...