41 matches found
CVE-2026-15620
A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/toolwebfetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be...
EUVD-2026-43582
A security vulnerability has been detected in mosaxiv clawlet up to 0.2.10. This affects the function tools.webFetch of the file tools/toolwebfetch.go. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be...
CVE-2026-15619
CVE-2026-15619 affects mosaxiv clawlet prior to 0.2.10. The vulnerable element is the web_fetch function in tools/tool_web_fetch.go of the IPv4 Handler. The issue arises from manipulating the url argument, enabling server-side request forgery (SSRF). The attack can be initiated remotely, and an e...
CVE-2026-15619 mosaxiv clawlet IPv4 tool_web_fetch.go web_fetch server-side request forgery
A weakness has been identified in mosaxiv clawlet up to 0.2.10. The impacted element is the function webfetch of the file tools/toolwebfetch.go of the component IPv4 Handler. This manipulation of the argument url causes server-side request forgery. The attack can be initiated remotely. The exploi...
CVE-2026-15317
A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. Affected by this vulnerability is the function WebFetchTool.Execute of the file pkg/tools/integration/web.go of the component Guarded Web Fetch Flow. The manipulation results in server-side request forgery. The attack can be...
CVE-2026-15317
Sipeed PicoClaw
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrust...
CVE-2026-49138
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...
CVE-2026-49138 Nanobot < 0.2.1 SSRF via web_fetch Tool Redirect Following
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...
EUVD-2026-33757
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...
EUVD-2026-23452
OpenHarness before commit bd4df81 contains a server-side request forgery vulnerability in the webfetch and websearch tools that allows attackers to access private and localhost HTTP services by manipulating tool parameters without proper validation of target addresses. Attackers can influence an...
CVE-2026-40516
Technical details about CVE-2026-40516 are not publicly available in the provided Connected documents; the description exists but without explicit vendor/product/versions in this set. Monitor for updates.
EUVD-2026-21306
A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed...
GHSA-52VJ-FVRV-7Q82 OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts
A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed...
CVE-2026-6011
OpenClaw (up to version 2026.1.26) contains a vulnerability in the file src/agents/tools/web-fetch.ts (assertPublicHostname handler) that enables server-side request forgery when a crafted request manipulates internal hostname handling. Exploitation is network-based with high complexity as descri...
OpenClaw 代码问题漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.1.26 have code vulnerabilities. These vulnerabilities stem from incorrect operations on the src/agents/tools/web-fetch.ts file, which may lead to server-side request forgery attac...
PT-2026-31871
Name of the Vulnerable Software and Affected Versions OpenClaw versions through 2026.1.26 Description A weakness exists in OpenClaw up to version 2026.1.26, specifically within the assertPublicHostname Handler functionality of the file src/agents/tools/web-fetch.ts. A manipulation can lead to...
SUSE CVE-2026-30858
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a DNS rebinding vulnerability in the webfetch tool allows an unauthenticated attacker to bypass URL validation and access internal resources on the server, including privat...
GO-2026-4643 WeKnora has DNS Rebinding Vulnerability in web_fetch Tool that Allows SSRF to Internal Resources in github.com/Tencent/WeKnora
WeKnora has DNS Rebinding Vulnerability in webfetch Tool that Allows SSRF to Internal Resources in github.com/Tencent/WeKnora...
CVE-2026-30858
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.3.0, a DNS rebinding vulnerability in the webfetch tool allows an unauthenticated attacker to bypass URL validation and access internal resources on the server, including privat...