OpenClaw versions before 2026.2.19 allow local authenticated users to execute arbitrary commands by injecting shell metacharacters into environment variable values during Windows Scheduled Task script generation. The vulnerability stems from unquoted variable assignments in gateway.cmd that fail to sanitize special characters like &, |, ^, %, and !, enabling command injection when the task script runs. A patch is available to address this local privilege escalation risk.
OpenClaw versions before 2026.2.21 allow authenticated attackers to bypass device identity verification and gain high-privilege Control UI access when insecure authentication is enabled and the gateway uses unencrypted HTTP. An attacker with compromised credentials can exploit the lack of secure authentication enforcement to obtain unauthorized control access. The vulnerability requires network access and valid credentials but poses significant risk in environments where plaintext HTTP is used.
Cross-site scripting in Discourse's Review Queue interface allows remote attackers to inject malicious payloads through prompt injection attacks against the AI triage system, which renders unsanitized LLM output to staff members. When administrators or moderators view flagged posts, the injected payload executes in their browser context, potentially compromising their sessions or performing unauthorized actions. The vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, with patches available in these releases.
Reflected cross-site scripting in Discourse AI conversation sharing allows unauthenticated attackers to inject malicious scripts through improperly sanitized conversation titles in the onebox rendering feature. An attacker can craft a malicious shared conversation link to execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. The vulnerability affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, and currently has no patch available as a preventive measure.
WWBN/AVideo fails to properly validate the redirectUri parameter in its login flow, allowing attackers to craft malicious URLs that redirect authenticated users to attacker-controlled sites after successful login. The vulnerability stems from insufficient encoding of user input before it is embedded into JavaScript code that executes a redirect via document.location. An attacker can exploit this open redirect to perform phishing attacks or distribute malware by tricking users into clicking a login link with an attacker-controlled redirect destination.
OpenClaw versions prior to 2026.3.2 contain a symlink traversal vulnerability in the stageSandboxMedia function that fails to validate destination symlinks during media staging operations. This allows local attackers with low privileges to write files outside the intended sandbox workspace by placing malicious symlinks in the media/inbound directory, resulting in arbitrary file overwrite on the host system. A patch is available from the vendor, and the vulnerability was reported by VulnCheck with public references including a GitHub security advisory and commit fix.
OpenClaw versions before 2026.2.19 allow authenticated attackers to bypass the exec safeBins policy and write arbitrary files by injecting short-option flags into whitelisted binary commands. An attacker with login credentials can exploit this allowlist bypass to perform unauthorized file-write operations that should be blocked by the safeBins security controls. No patch is currently available for this medium-severity vulnerability.
A arbitrary file access vulnerability in the grep tool within tools (CVSS 6.0) that allows attackers. Remediation should follow standard vulnerability management procedures.
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the system.run function that allows authenticated attackers to execute non-allowlisted commands by exploiting shell line-continuation characters to fold malicious command substitution past security controls. An attacker with low privileges (PR:L) can inject shell metacharacters (specifically $\ followed by newline and parenthesis within double quotes) to circumvent approval boundaries and execute arbitrary commands, resulting in integrity compromise and potential availability impact. A public advisory and patch are available from the vendor, though no EPSS score or KEV status was provided in the intelligence sources.
OpenClaw versions before 2026.2.24 allow authenticated attackers to bypass path traversal protections by using @-prefixed absolute paths that evade workspace boundary validation, enabling unauthorized file access outside the intended directory scope when workspace-only restrictions are configured. The vulnerability stems from a canonicalization mismatch that fails to properly validate these specially-crafted paths, allowing attackers to read arbitrary files on the system.
OpenClaw versions prior to 2026.2.22 contain a Server-Side Request Forgery (SSRF) vulnerability in MSTeams media attachment handling where redirect chain validation against the mediaAllowHosts allowlist is inconsistently applied. An authenticated attacker with low privileges can supply or influence attachment URLs that redirect to non-allowlisted targets, allowing them to bypass SSRF boundary controls and potentially access internal resources. The vulnerability has confirmed patch availability and security advisories from the vendor.
OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in the system.run allowlist mode where attackers with local privileges can chain multiple transparent dispatch wrappers (such as /usr/bin/env) to suppress shell-wrapper detection and execute arbitrary shell commands without triggering expected approval prompts in allowlist plus ask=on-miss configurations. This authentication bypass has a CVSS score of 5.9 (medium severity) with high integrity impact, allowing privilege escalation or unauthorized command execution on affected systems. A proof-of-concept and security advisory are available from GitHub and VulnCheck.
OpenClaw versions prior to 2026.3.1 contain a post-approval executable rebind vulnerability in the system.run approval mechanism that fails to pin executable identity when argv[0] is not a full path. An attacker with local access and low privileges can modify PATH environment variables after an operator approves a command execution to redirect the approval to execute a different binary, achieving arbitrary command execution with the privileges of the OpenClaw process. The vulnerability has a moderate CVSS score of 6.0 reflecting local attack vector and high privilege requirements, but poses significant risk in environments where approval workflows are relied upon for security boundaries.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a stored cross-site scripting (XSS) vulnerability in the return_id request parameter, which is insufficiently sanitized before being reflected into HTML event handler attributes. An authenticated attacker with high privileges can craft malicious payloads that execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. While this vulnerability requires authenticated access and user interaction to trigger, it affects a widely-deployed open-source CRM platform used by many enterprises.
WP Rocket, a popular WordPress performance optimization plugin, contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 3.19.4 that allows authenticated attackers with high privileges to inject malicious scripts into web pages. An attacker with administrator or equivalent access can craft specially-formatted input that bypasses input sanitization, resulting in persistent XSS that executes in the browsers of other site users. The vulnerability has a CVSS score of 5.9 (Medium), requiring high privileges and user interaction, with no evidence of active exploitation in the wild or public proof-of-concept code.
A command injection vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.
OpenClaw versions before 2026.2.22 allow authenticated attackers to bypass sender authorization checks through identifier collision attacks, enabling them to gain unauthorized access to privileged tools. By exploiting untyped sender keys and forcing collisions with mutable identity fields like senderName or senderUsername, attackers can inherit elevated permissions not granted to their account. No patch is currently available for this medium-severity vulnerability.
CVE-2026-3579 is a security vulnerability (CVSS 5.9). Remediation should follow standard vulnerability management procedures.
The fast-xml-parser library contains a logic error in DocTypeReader.js where JavaScript's falsy evaluation of the number 0 causes entity size and count limits to be completely bypassed when explicitly configured to 0. An attacker who can supply crafted XML input to an application using fast-xml-parser with these limits set to 0 can trigger unbounded entity expansion, exhausting server memory and causing denial of service. A proof-of-concept exists demonstrating the vulnerability, and the CVSS score of 5.9 reflects medium severity with high attack complexity, though the real-world impact is significant for applications that explicitly configure these restrictive limits.
Command injection in OpenClaw versions before 2026.2.19 allows local attackers with limited privileges to execute arbitrary commands when the Lobster extension tool falls back to Windows shell execution after subprocess failures. The vulnerability exists because the tool uses shell: true after spawn errors, enabling attackers to inject shell metacharacters into command arguments. A patch is available for affected users.
OpenClaw versions prior to 2026.3.2 contain an authorization bypass vulnerability in Discord voice transcript processing where the senderIsOwner flag is not properly validated in the agentCommand handler, causing it to default to true. This allows non-owner participants in mixed-trust Discord channels to gain unauthorized access to owner-only tools including gateway and cron functionality. The vulnerability has a CVSS score of 5.9 (medium severity) with high integrity impact, though real-world exploitation requires user interaction and moderate attack complexity.
Metricbeat's Prometheus remote_write HTTP handler is vulnerable to denial of service through excessive memory allocation when processing specially crafted requests from authenticated network-adjacent attackers. An attacker with local privileges can trigger unbounded memory allocation to exhaust system resources and crash the service. No patch is currently available for this vulnerability.
Admidio versions 5.0.0 through 5.0.6 contain a critical cross-site request forgery (CSRF) vulnerability in the groups-roles management module that allows unauthenticated attackers to trick privileged users into permanently deleting organizational roles, deactivating groups, or revoking memberships through forged POST requests. The vulnerability affects users with rol_assign_roles privileges, and exploited attacks result in permanent data loss including cascading deletion of role memberships, event associations, and access rights with no built-in undo mechanism. A patch is available in version 5.0.7, and the vulnerability is not currently tracked in active exploitation databases but poses significant organizational impact due to the permanent nature of role deletion and the low barrier to discovery of target role UUIDs from publicly accessible card views.
Arbitrary command execution in OpenClaw prior to version 2026.2.24 results from improper validation of binaries in package manager directories that are included in the safeBins allowlist. An attacker with write access to trusted paths such as /opt/homebrew/bin or /usr/local/bin can plant a malicious binary to achieve code execution within the OpenClaw runtime. No patch is currently available.
Packetbeat contains an improper array index validation vulnerability (CWE-129) in its protocol parser components that allows attackers to trigger out-of-bounds read operations through specially crafted network packets. Affected versions include Packetbeat 8.0.0 through 8.19.10 and 9.0.0 through 9.2.4, with the vulnerability requiring network-level access or traffic control to the monitored interface. An attacker exploiting this flaw can cause denial of service through application crashes or resource exhaustion; while the CVSS score of 5.7 indicates moderate severity and there is no indication of widespread active exploitation in public KEV databases, the patch availability through Elastic's security update (ESA-2026-11) released in version 8.19.11 and 9.2.5 suggests this is a confirmed and prioritized vulnerability worthy of timely remediation.
CVE-2026-2645 is a security vulnerability (CVSS 5.5). Remediation should follow standard vulnerability management procedures.
The AVideo Scheduler plugin fails to validate callback URLs against Server-Side Request Forgery (SSRF) protections, allowing authenticated administrators to configure scheduled tasks that make HTTP requests to internal networks, cloud metadata services, and private IP ranges. An attacker with admin access can retrieve AWS/GCP/Azure instance metadata credentials (including IAM role tokens) or probe internal APIs not exposed to the internet. A proof-of-concept exists demonstrating credential extraction from AWS metadata endpoints at 169.254.169.254.
OpenClaw versions before 2026.2.22 suffer from a symlink traversal flaw in avatar processing that enables local attackers with user-level privileges to read sensitive files beyond the intended workspace directory. An attacker can leverage this through gateway interfaces to access arbitrary files with OpenClaw process permissions, resulting in unauthorized information disclosure. No patch is currently available for this vulnerability.
OpenClaw prior to version 2026.2.22 allows authenticated users to bypass device identity verification and assume a node role during WebSocket connections, enabling injection of unauthorized node events that trigger sensitive agent and voice transcript operations. An attacker with a shared gateway token can exploit this to perform actions without proper device pairing, potentially compromising system integrity and confidentiality. No patch is currently available.
Stored XSS in OpenEMR prior to 8.0.0.2 allows authenticated users with the "Notes - my encounters" role to inject malicious JavaScript into Eye Exam form fields, which executes when other users with the same role view the form responses. An attacker can exploit this to steal session tokens, perform unauthorized actions, or compromise patient data through form manipulation. No patch is currently available for affected versions.
Stored XSS in FreeScout 1.8.208 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading a malicious SVG file with a .png extension and image/svg+xml content type, bypassing both the attachment view logic and SVG sanitizer. The vulnerability exploits a fallback mechanism that unsafely processes invalid XML, enabling script execution when the file is rendered inline. An attacker with upload permissions can compromise other users' sessions and data through this cross-site scripting attack.
HCL Connections contains a reflected or stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious JavaScript into the application, which executes in the browsers of other users who interact with the crafted payload. An attacker with valid credentials can steal session cookies and authentication tokens, potentially compromising victim accounts and enabling further attacks such as lateral movement or data exfiltration. The vulnerability requires user interaction and authentication to exploit, resulting in a CVSS score of 5.4 (Medium severity), though the impact is cross-site scope.
Stored XSS in OpenEMR versions before 8.0.0.2 allows authenticated patient portal users to inject malicious scripts into their login username, which execute in the browsers of clinic staff when viewing the portal credential creation page. This vulnerability enables attackers to compromise staff and admin sessions through the patient context, potentially leading to unauthorized access or data manipulation within the healthcare system. A patch is available in version 8.0.0.2 and later.
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain an unauthenticated open redirect vulnerability in the WebToLead feature that allows attackers to redirect users to arbitrary external websites by manipulating an unvalidated POST parameter. An attacker can leverage the trusted SuiteCRM domain to conduct phishing and social engineering attacks against users without requiring authentication or user interaction beyond clicking a malicious link. No patch is currently available for affected versions.
IBM QRadar SIEM contains a reflected or stored cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code, potentially altering system functionality and compromising the integrity of security monitoring. The vulnerability affects QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14. An attacker with valid credentials can craft malicious payloads to execute client-side code in the context of other users' sessions, leading to session hijacking, credential theft, or unauthorized configuration changes. A patch is available from IBM, and this vulnerability is not currently listed in CISA's KEV catalog, suggesting limited evidence of active exploitation in the wild at this time.
IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain a cross-site scripting (XSS) vulnerability in the Web UI that allows authenticated users to inject arbitrary JavaScript code. An attacker with valid credentials can exploit this vulnerability to alter UI functionality and potentially steal session credentials or perform actions on behalf of the victim user within their trusted session. A patch is available from the vendor, though no public exploitation toolkit or widespread active exploitation has been reported at the time of this analysis.
A remote code execution vulnerability in Discourse (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in OpenEMR (CVSS 5.4) that allows any authenticated openemr user. Remediation should follow standard vulnerability management procedures.
Stored cross-site scripting in the WWBN/AVideo CDN plugin allows authenticated attackers to inject malicious JavaScript through improperly sanitized video titles, which executes when users access download pages. An attacker with video creation or modification privileges can compromise any user viewing the affected download interface. No patch is currently available for PHP and Python implementations.
OpenClaw versions prior to 2026.2.19 allow local attackers with limited privileges to execute arbitrary commands through the Lobster extension's Windows shell fallback mechanism by injecting malicious arguments into workflow processes. The vulnerability exploits cmd.exe command interpretation when spawn operations fail and trigger shell execution, enabling command injection with potential impact on system integrity and availability. A patch is available for affected versions.
A remote code execution vulnerability in Instant Popup Builder (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
M365 Copilot is vulnerable to command injection that enables unauthenticated remote attackers to extract sensitive information through the network. The vulnerability stems from inadequate sanitization of special characters in command inputs, requiring user interaction to trigger. No patch is currently available for this medium-severity flaw.
OPEXUS eComplaint versions before 10.1.0.0 allow unauthenticated attackers to enumerate case numbers and upload arbitrary files to the public document upload interface, potentially cluttering cases with malicious content and consuming server storage. The vulnerability requires user interaction but has no authentication requirements, affecting all instances running vulnerable versions with no available patch.
Unauthorized access to hidden post revisions in Discourse through version enumeration allows unauthenticated users to bypass authorization checks and read staff-concealed edit history. The /posts/:id.json endpoint fails to validate user permissions before displaying revision content, enabling attackers to enumerate version numbers and access sensitive historical data. Affected deployments should upgrade to versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 as no workarounds are available.
OpenClaw versions before 2026.2.23 allow authenticated users to bypass sandbox restrictions and read files outside the intended workspace by exploiting inadequate path validation in the sandboxed image tool. An attacker with valid credentials can exfiltrate sensitive files by leveraging vision model provider integrations, compromising the confidentiality of restricted data.
WP eMember through version 10.2.2 contains an authorization bypass flaw that allows unauthenticated remote attackers to circumvent access control restrictions and view protected content. The vulnerability stems from improper validation of security level configurations, enabling unauthorized information disclosure without user interaction. No patch is currently available for this issue.
A remote code execution vulnerability in Discourse (CVSS 5.3) that allows restricted post action counts. Remediation should follow standard vulnerability management procedures.
OpenClaw versions before 2026.3.2 are vulnerable to a race condition in ZIP extraction that permits local attackers with limited privileges to write arbitrary files outside the intended extraction directory. By manipulating symlinks between path validation and write operations, an attacker can achieve arbitrary file placement on the system. A patch is available to resolve this integrity issue.
DiceBear avatar generation libraries (@dicebear/core and @dicebear/initials) are vulnerable to stored XSS through unescaped SVG attributes when user-supplied options like backgroundColor, fontFamily, and textColor are directly interpolated into SVG output. Attackers can inject malicious JavaScript that executes when the resulting SVG is rendered inline or served with SVG content-type, affecting any application that passes untrusted input to the createAvatar() function. No patch is currently available.
Linkit ONE Location Aware Sensor System (LASS) up to commit f06bd20 contains reflected cross-site scripting (XSS) in PM25.php that permits remote attackers to execute arbitrary JavaScript in victim browsers through unencoded GET parameters (site, city, district, channel, apikey). The vulnerability affects a sensor data collection platform and carries a low exploitation probability (EPSS 0.21%, percentile 43%), suggesting limited real-world attack activity despite public disclosure through VulnCheck.