Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H maps to CVSS 4.0 AT:P (attacker must control session content); UI:R for required link-click; S:C for browser-context scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.
AnalysisAI
Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.
Technical ContextAI
OpenClaw (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) produces exportable HTML documents from session content. The root cause is CWE-83 (Improper Neutralization of Script in Attributes in a Web Page): the HTML export renderer does not sanitize javascript: and data: URI schemes from link attributes before writing them to the output file. These URI schemes are natively executable by browsers - a browser that renders an anchor with href='javascript:...' or href='data:text/html,...' will execute the payload when the user clicks the link. Proper remediation requires stripping or encoding these schemes during export, as they have no legitimate use in generated static HTML sessions.
RemediationAI
Upgrade OpenClaw to version 2026.5.12 or later, which addresses the unsafe link-scheme handling in the session HTML export renderer; consult the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv for patch details. If an immediate upgrade is not feasible, operators should avoid opening exported HTML files directly in a standard browser tab; instead, review session content within the OpenClaw application UI before exporting. As a compensating control, exported HTML files can be opened in a sandboxed browser profile or a browser with JavaScript execution disabled - note that disabling JavaScript eliminates the attack vector but may also break any legitimate interactivity in the exported document. Additionally, access controls should be applied to restrict who can contribute content to sessions reviewed by privileged operators, reducing the attacker's ability to inject malicious links.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37143
GHSA-6xcg-6q43-rj2v