VulnScope — package-centric CVE lookup- MEDIUM4.2CVE-2026-53860OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers
- MEDIUM6.5OpenClaw: memory-wiki shared search could miss session visibility checks
- MEDIUM5.5OpenClaw: Config recovery could restore openclaw.json with broad file permissions
- HIGH8.1OpenClaw: Zalo allowFrom could bind to mutable display names
- MEDIUM4.3OpenClaw: Skill-command dispatch could skip before-tool-call hooks
- MEDIUM6.1OpenClaw: Exported session HTML could keep unsafe markdown links
- MEDIUM5.3OpenClaw: Slack reaction events could ignore reaction notification settings
- MEDIUM4.2OpenClaw: Bootstrap token replay could widen pending pairing scopes
- HIGH8.1OpenClaw: Shell positional parameters could weaken strict inline-eval checks
- MEDIUM6.5OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently
- MEDIUM4.3OpenClaw: Exec allowlist could miss side effects from transparent command wrappers
- MEDIUM6.5NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
- HIGH7.5Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
- LOW2.2BBOT: Symlink-Following Arbitrary Write via github_workflows Module
- MEDIUM6.5BBOT: Arbitrary File Write in postman_download Module
- LOW3.1BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
- MEDIUM5.3BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
- MEDIUM6.6OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags
- HIGH7.5undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
- HIGH7.5http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
- HIGH8.1piscina: Prototype Pollution Gadget → RCE via inherited options.filename
- MEDIUM5.4Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator
- HIGH8.0Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`
- HIGH7.1OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution
- HIGH8.1OpenClaw: Shell inline-command parsing could miss an allowlist check
← PrevPage 2 of 488Next →