VIR Vulnerability Intelligence Relay

Package impact

npm npm / openclaw

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2026-44109 critical 9.8 9.8 21d ago OpenClaw: Feishu webhook and card-action validation now fail closed npm
CVE-2026-43585 critical 9.8 9.8 21d ago OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation npm
CVE-2026-43566 critical 9.8 9.8 23d ago OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events npm
CVE-2026-43534 critical 9.8 9.8 23d ago OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input npm
CVE-2026-41386 critical 9.8 9.8 29d ago OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing npm
CVE-2026-44112 critical 9.6 9.6 21d ago OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root npm
CVE-2026-41397 critical 9.6 9.6 29d ago OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal npm
CVE-2026-43526 critical 9.3 9.3 23d ago OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes npm
CVE-2026-28395 critical 9.1 9.1 3mo ago OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback npm