| CVE-2026-28480 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Telegram allowlist authorization accepted mutable usernames |
| CVE-2026-28469 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting |
| CVE-2026-26317 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints |
| CVE-2026-28478 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by denial of service via unbounded webhook request body buffering |
| CVE-2026-28452 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) |
| CVE-2026-29612 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks |
| CVE-2026-26328 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities |
| CVE-2026-25157 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand |
| CVE-2026-25253 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl |
| CVE-2026-24763 |
unknown |
— |
— |
|
|
|
4mo ago |
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable |
