| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-27001 | OpenClaw: Unsanitized CWD path injection into LLM prompts | openclaw | openclaw | 高危 | - | 2026-02-19 23:10:08 | Deep Dive |
| CVE-2026-26972 | OpenClaw has a Path Traversal in Browser Download Functionality | openclaw | openclaw | Medium | 6.7 | 2026-02-19 23:08:45 | Deep Dive |
| CVE-2026-26329 | OpenClaw has a path traversal in browser upload allows local file read | openclaw | openclaw | 中危 | - | 2026-02-19 23:06:38 | Deep Dive |
| CVE-2026-26328 | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities | openclaw | openclaw | Medium | 6.5 | 2026-02-19 23:04:12 | Deep Dive |
| CVE-2026-26327 | OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning | openclaw | openclaw | 中危 | - | 2026-02-19 22:59:36 | Deep Dive |
| CVE-2026-26326 | OpenClaw skills.status could leak secrets to operator.read clients | openclaw | openclaw | 中危 | - | 2026-02-19 22:55:53 | Deep Dive |
| CVE-2026-26325 | OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals | openclaw | openclaw | High | 7.2 | 2026-02-19 22:53:18 | Deep Dive |
| CVE-2026-26324 | OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) | openclaw | openclaw | High | 7.5 | 2026-02-19 22:49:24 | Deep Dive |
| CVE-2026-26323 | OpenClaw has a command injection in maintainer clawtributors updater | openclaw | openclaw | 高危 | - | 2026-02-19 22:47:48 | Deep Dive |
| CVE-2026-26322 | OpenClaw Gateway tool allowed unrestricted gatewayUrl override | openclaw | openclaw | High | 7.6 | 2026-02-19 22:33:10 | Deep Dive |
| CVE-2026-26321 | OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension | openclaw | openclaw | High | 7.5 | 2026-02-19 22:28:07 | Deep Dive |
| CVE-2026-26320 | OpenClaw macOS deep link confirmation truncation can conceal executed agent message | openclaw | openclaw | 中危 | - | 2026-02-19 22:24:33 | Deep Dive |
| CVE-2026-26319 | OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests | openclaw | openclaw | High | 7.5 | 2026-02-19 22:05:27 | Deep Dive |
| CVE-2026-26317 | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints | openclaw | openclaw | High | 7.1 | 2026-02-19 21:34:28 | Deep Dive |
| CVE-2026-26316 | OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust | openclaw | openclaw | High | 7.5 | 2026-02-19 21:28:33 | Deep Dive |
| CVE-2026-25474 | OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass | openclaw | openclaw | High | 7.5 | 2026-02-19 02:38:33 | Deep Dive |
| CVE-2026-25593 | OpenClaw Affected by Unauthenticated Local RCE via WebSocket config.apply | openclaw | openclaw | High | 8.4 | 2026-02-06 20:56:03 | Deep Dive |
| CVE-2026-25157 | OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand | openclaw | openclaw | High | 7.7 | 2026-02-04 19:55:38 | Deep Dive |
| CVE-2026-25475 | OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction | openclaw | openclaw | Medium | 6.5 | 2026-02-04 19:55:36 | Deep Dive |
| CVE-2026-25253📌 | OpenClaw 安全漏洞 | OpenClaw | OpenClaw | High | 8.8 | 2026-02-01 22:34:18 | Deep Dive |