| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41360 | OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding | OpenClaw | OpenClaw | Medium | 6.7 | 2026-04-23 21:58:18 | Deep Dive |
| CVE-2026-41359 | OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence | OpenClaw | OpenClaw | High | 7.1 | 2026-04-23 21:58:18 | Deep Dive |
| CVE-2026-41358 | OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:17 | Deep Dive |
| CVE-2026-41357 | OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends | OpenClaw | OpenClaw | Low | 3.3 | 2026-04-23 21:58:16 | Deep Dive |
| CVE-2026-41355 | OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion | OpenClaw | OpenClaw | High | 7.3 | 2026-04-23 21:58:15 | Deep Dive |
| CVE-2026-41356 | OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:15 | Deep Dive |
| CVE-2026-41354 | OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys | OpenClaw | OpenClaw | Low | 3.7 | 2026-04-23 21:58:14 | Deep Dive |
| CVE-2026-41353 | OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection | OpenClaw | OpenClaw | High | 8.1 | 2026-04-23 21:58:13 | Deep Dive |
| CVE-2026-41352 | OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass | OpenClaw | OpenClaw | High | 8.8 | 2026-04-23 21:58:12 | Deep Dive |
| CVE-2026-41350 | OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations | OpenClaw | OpenClaw | Medium | 4.3 | 2026-04-23 21:58:11 | Deep Dive |
| CVE-2026-41351 | OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:11 | Deep Dive |
| CVE-2026-41349 | OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch | OpenClaw | OpenClaw | High | 8.8 | 2026-04-23 21:58:10 | Deep Dive |
| CVE-2026-41348 | OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:09 | Deep Dive |
| CVE-2026-41347 | OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints | OpenClaw | OpenClaw | High | 7.1 | 2026-04-23 21:58:08 | Deep Dive |
| CVE-2026-41346 | OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:05 | Deep Dive |
| CVE-2026-41345 | OpenClaw < 2026.3.31 - Authorization Header Leak via Cross-Origin Redirect in Media Download | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:04 | Deep Dive |
| CVE-2026-41344 | OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:03 | Deep Dive |
| CVE-2026-41343 | OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency | OpenClaw | OpenClaw | Medium | 5.3 | 2026-04-23 21:58:02 | Deep Dive |
| CVE-2026-41342 | OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding | OpenClaw | OpenClaw | High | 7.3 | 2026-04-23 21:58:01 | Deep Dive |
| CVE-2026-41341 | OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-23 21:58:00 | Deep Dive |