CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/04/28 6:10 p.m.•4 views

CVE-2026-42427

OpenClaw is affected (pre-2026.4.8). The vulnerability arises from missing denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS in the build environment, enabling attackers to inject hostile environment variables that influence host exec commands and achieve remo...

5.8CVSS6.7AI score0.00036EPSS

Cvelist•added 2026/04/28 6:10 p.m.•24 views

CVE-2026-42427 OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection

OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGOBUILDRUSTCWRAPPER, RUSTCWRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and...

5.8CVSS0.00036EPSS

Cvelist•added 2026/04/28 6:10 p.m.•24 views

CVE-2026-41915 OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment

OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GITDIR and related variables to redirect git operations and compromise repository integrity...

5.8CVSS0.00018EPSS

CVE•added 2026/04/28 6:10 p.m.•4 views

CVE-2026-41915

CVE-2026-41915 affects OpenClaw prior to 2026.4.8. The vulnerability arises from failing to remove git plumbing environment variables (e.g., GIT_DIR) from the execution environment before host exec operations, allowing an attacker to set these vars to redirect git operations and potentially compr...

6.1CVSS5.5AI score0.00018EPSS

Vulnrichment•added 2026/04/28 6:10 p.m.•2 views

CVE-2026-41915 OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment

5.8CVSS5.5AI score0.00018EPSS

EUVD•added 2026/04/28 6:9 p.m.•1 views

EUVD-2026-26104

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAWBUNDLEDPLUGINSDIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory...

8.5CVSS5.2AI score0.00014EPSS

Vulnrichment•added 2026/04/28 6:9 p.m.•2 views

CVE-2026-41396 OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root

8.5CVSS5.2AI score0.00014EPSS

Cvelist•added 2026/04/28 6:9 p.m.•21 views

CVE-2026-41391 OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling

OpenClaw before 2026.3.31 fails to properly sanitize PIPINDEXURL and UVINDEXURL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manipulate package management operations by injecting...

5.8CVSS0.00018EPSS

CVE•added 2026/04/28 6:9 p.m.•5 views

CVE-2026-41384

OpenClaw prior to 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows malicious workspace configs to inject environment variables into the spawned backend process, enabling code execution or sensitive data exposure. Affected package: openclaw (...

8.5CVSS7.2AI score0.00016EPSS

EUVD•added 2026/04/28 6:9 p.m.•2 views

EUVD-2026-26093

Cvelist•added 2026/04/28 6:9 p.m.•23 views

CVE-2026-41384 OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend

8.5CVSS0.00016EPSS

ATTACKERKB•added 2026/04/28 6:9 p.m.•0 views

CVE-2026-41384

Vulnrichment•added 2026/04/28 6:9 p.m.•0 views

Exploits0References4

CVE-2026-41384 OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend

CVE•added 2026/04/28 6:9 p.m.•3 views

CVE-2026-41373

OpenClaw vulnerable before 2026.3.31 due to an incomplete host-env-security-policy.json that does not restrict compiler environment variables. This allows untrusted models to substitute compiler binaries (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) via environment overrides when an approved hos...

6.1CVSS5.8AI score0.00014EPSS

OSV•added 2026/04/28 1:7 p.m.•1 views

JLSEC-2026-285

A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH...

8.8CVSS6.8AI score0.00184EPSS

Exploits0References10

OSV•added 2026/04/28 4:18 a.m.•0 views

USN-8202-2 jq vulnerabilities

USN-8202-1 fixed vulnerabilities in jq. This update provides the corresponding update to Ubuntu 26.04 LTS. Original advisory details: It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute...

8.2CVSS5.9AI score0.00137EPSS

Exploits5References7

Positive Technologies•added 2026/04/28 12:0 a.m.•4 views

PT-2026-35769

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.24 Description An environment variable injection issue exists in the CLI backend runner. Attackers can use malicious workspace configurations to inject arbitrary environment variables into the backend process...