| CVE-2026-28480 |
unknown |
— |
— |
3mo ago |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
|
| CVE-2026-28469 |
unknown |
— |
— |
3mo ago |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
|
| CVE-2026-26317 |
unknown |
— |
— |
3mo ago |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
|
| CVE-2026-28478 |
unknown |
— |
— |
3mo ago |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
|
| CVE-2026-28452 |
unknown |
— |
— |
3mo ago |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
|
| CVE-2026-29612 |
unknown |
— |
— |
3mo ago |
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks |
|
| CVE-2026-26328 |
unknown |
— |
— |
3mo ago |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
|
| CVE-2026-25157 |
unknown |
— |
— |
4mo ago |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
|
| CVE-2026-25253 |
unknown |
— |
— |
4mo ago |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
|
| CVE-2026-24763 |
unknown |
— |
— |
4mo ago |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
|