Package impact
npm / openclaw
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-28470 | unknown | — | — | 4mo ago | OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes | |||
| CVE-2026-28458 | unknown | — | — | 4mo ago | OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access | |||
| CVE-2026-28391 | unknown | — | — | 4mo ago | OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating | |||
| CVE-2026-28459 | unknown | — | — | 4mo ago | OpenClaw has an arbitrary transcript path file write via gateway sessionFile | |||
| CVE-2026-28472 | unknown | — | — | 4mo ago | OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated | |||
| CVE-2026-25593 | unknown | — | — | 4mo ago | OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply | |||
| CVE-2026-25475 | unknown | — | — | 4mo ago | OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction |