Duplicate Advisory: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r39h-4c2p-3jxp. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver tha...

CVE-2026-45004 OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious...

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.23 had code vulnerabilities. These vulnerabilities stemmed from the bundled plugin setup parser, which loaded setup-api.js from process.cwd. This allowed attackers to execute...

NPM: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

NPM: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.23...

OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution

Summary OpenClaw's bundled plugin setup resolver could fall back to process.cwd while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing extensions//setup-api.js, OpenClaw could load and execute that JavaScript during ordinary...

CVE-2025-69200 phpMyFAQ has unauthenticated config backup download via /api/setup/backup

phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive...

PT-2025-53730

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.0.16 Description An unauthenticated remote attacker can trigger the generation of a configuration backup ZIP file via the /api/setup/backup API endpoint. The generated ZIP file, accessible via the web, contains...

CVE-2019-17102

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/updatesetup does not perform firmware signature checks atomically, leading to an exploitable race condition TOCTTOU that allows arbitrary execution of system...

CVE-2018-18638

A command injection vulnerability in the setup API in the Neato Botvac Connected 2.2.0 allows network attackers to execute arbitrary commands via shell metacharacters in the ntp field within JSON data to the /robot/initialize endpoint...

CVE-2018-18638

A command injection vulnerability in the setup API in the Neato Botvac Connected 2.2.0 allows network attackers to execute arbitrary commands via shell metacharacters in the ntp field within JSON data to the /robot/initialize endpoint...

Command injection

A command injection vulnerability in the setup API in the Neato Botvac Connected 2.2.0 allows network attackers to execute arbitrary commands via shell metacharacters in the ntp field within JSON data to the /robot/initialize endpoint...

CVE-2018-18638

Neato Botvac Connected 2.2.0 is affected by a command-injection in the setup API. The vulnerability allows remote attackers to inject shell metacharacters in the ntp field of a JSON payload sent to /robot/initialize, enabling arbitrary command execution. Root cause: unsafely handled ntp field in ...