|
1901
|
7.7 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or f…
|
CWE-22
Path Traversal
|
CVE-2026-35668
|
2026-04-14 05:43 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1902
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using…
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-35666
|
2026-04-14 05:42 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1903
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature ve…
|
CWE-405
Asymmetric Resource Consumption (Amplification)
|
CVE-2026-35665
|
2026-04-14 05:42 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1904
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card comman…
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-35664
|
2026-04-14 05:39 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1905
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements…
|
CWE-648
Incorrect Use of Privileged APIs
|
CVE-2026-35663
|
2026-04-14 05:39 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1906
|
4.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing leaf subagents to message controlled child sessions beyond their authorized scope. Attackers can expl…
|
CWE-862
Missing Authorization
|
CVE-2026-35662
|
2026-04-14 05:32 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1907
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing require…
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-35661
|
2026-04-14 05:32 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1908
|
8.1 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attack…
|
CWE-862
Missing Authorization
|
CVE-2026-35660
|
2026-04-14 05:32 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1909
|
6.5 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts ou…
|
CWE-668
Exposure of Resource to Wrong Sphere
|
CVE-2026-35658
|
2026-04-14 05:31 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1910
|
7.8 |
HIGH
Local
|
khyrenz
|
parseusbs
|
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen() shell command, allowing arbitrary command execution …
|
CWE-78
OS Command
|
CVE-2026-40029
|
2026-04-14 05:27 |
2026-04-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
