2182 matches found
GHSA-W6F4-3V35-QJHJ Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6rcp-vxwf-3mfp. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that...
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6rcp-vxwf-3mfp. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that...
CVE-2026-32052
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...
CVE-2026-32052
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...
CVE-2026-32052 OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...
CVE-2026-32052
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...
EUVD-2026-13951
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...
CVE-2026-32052 OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...
CVE-2026-32052
OpenClaw is affected in versions prior to 2026.2.24. The vulnerability is a command injection in the system.run shell-wrapper that enables execution of hidden commands by injecting trailing positional argv carriers after inline shell payloads. The attack can be triggered through crafted approval ...
OpenClaw 安全漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. A command injection vulnerability exists in versions of OpenClaw prior to 2026.2.24. The vulnerability stems from a failure to properly filter construct command special characters, commands, etc. in the system.run...
PT-2026-26734
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary...
CVE-2026-33061
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescap...
CVE-2026-33061
exactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescape...
CVE-2026-33061
CVE-2026-33061 affects Jexactyl (previously named Exactyl), a configurable game management panel and billing system. The issue arises from injecting server-side objects into client-side JavaScript via resources/views/templates/wrapper.blade.php, where unescaped {!! json_encode(...) !!} is used wi...
CVE-2026-33061 Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescap...
EUVD-2026-13622
exactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescape...
Jexpanel 安全漏洞
Jexpanel is a game server management and billing panel developed by Jexactyl. Jexpanel has a security vulnerability, which stems from the use of jsonencode in the wrapper.blade.php template without proper escaping. This could lead to a storage-based DOM cross-site scripting attack...
CVE-2026-32023
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh...
EUVD-2026-13015
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign...
GHSA-PFV5-RPCW-X34X Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6j27-pc5c-m8w8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistenc...