Duplicate Advisory: OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6p8r-6m93-557f. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GITTEMPLATEDIR and...

EUVD-2026-25315

OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GITTEMPLATEDIR and AWSCONFIGFILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files ...

PT-2026-34763

OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT TEMPLATE DIR and AWS CONFIG FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration...

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to improper sanitization of environment variables in the execution environment. An attacker can execute arbitrary code or load unauthorized...

EUVD-2021-0858

Malware in sbrugna...

EUVD-2021-1042

Malware in sbrugna...

USN-7109-1: Go vulnerabilities

Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this issue to cause a denial of service. CVE-2022-41723 Marten Seemann discovered that Go did not properly manage memory under certain circumstances. An attacker could possibly use this...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Go vulnerabilities (USN-7109-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7109-1 advisory. Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2 streams. An attacker could possibly use this...

USN-7061-1: Go vulnerabilities

Hunter Wittenborn discovered that Go incorrectly handled the sanitization of environment variables. An attacker could possibly use this issue to run arbitrary commands. CVE-2023-24531 Sohom Datta discovered that Go did not properly validate backticks as Javascript string delimiters, and did not...

CVE-2019-25028

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 Vaadin 7.4.0 through 7.7.19, and 8.0.0 through 8.8.4 Vaadin 8.0.0 through 8.8.4 allows attacker to inject malicious JavaScript via unspecified vector...

Design/Logic Flaw

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 Vaadin 7.4.0 through 7.7.19, and 8.0.0 through 8.8.4 Vaadin 8.0.0 through 8.8.4 allows attacker to inject malicious JavaScript via unspecified vector...

Stored cross-site scripting in Grid component in Vaadin 7 and 8

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 Vaadin 7.4.0 through 7.7.19, and 8.0.0 through 8.8.4 Vaadin 8.0.0 through 8.8.4 allows attacker to inject malicious JavaScript via unspecified vector. -...

Stored cross-site scripting in Grid component in Vaadin 7 and 8

Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 Vaadin 7.4.0 through 7.7.19, and 8.0.0 through 8.8.4 Vaadin 8.0.0 through 8.8.4 allows attacker to inject malicious JavaScript via unspecified vector. See CWE-80: Improper Neutralization of...

EUVD-2019-13103

Insufficient sanitization of environment variables passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands...

mxBB Module kb_mods 2.0.2 - Remote File Inclusion

mxBB Module kbmods 2.0.2 - Remote File Inclusion | \ | / | \ \ / | | | | | \ / | \ \ / / | | | | '| | |/| |/ \ / / \ / / | | '| | | / | | || | | | | | | | | \ / | | | | || \ \ |/|| || ||,//\ / ||| ,|/...

PHP Live! 3.2.1 - 'help.php' Remote File Inclusion

Advisory: PHPLive 3.2 Remote Injection Vulnerability Release Date: 2006/07/23 Author: magnific Discovered: aneurysm.inc security reserach Risk: High Vendor Status: not contacted | no patch available Vendor Site: www.osicodes.com Contact: aneurysmincathotmaildotcom Version: all ----------- Overvie...

cbsms.txt

--------------------------------------------------------------------------- CBSMS Mambo Module = 1.0 mosConfigabsolutepath Remote File Include Vulnerabilities --------------------------------------------------------------------------- Discovered By Kw3RLn Romanian Security Team Remote : Yes...

FSA-018.txt

----------------------------------------------------- Advisory id: FSA:018 Author: Federico Fazzi Date: 15/06/2006, 23:36 Sinthesis: Calendarix 0.7.20060401, SQL Injection Vulnerabilities Type: low Product: http://www.calendarix.com/ Patch: unavailable...