| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-32060 | OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths | openclaw | openclaw | High | 8.8 | 2026-03-11 13:32:34 | Deep Dive |
| CVE-2026-32059 | OpenClaw 2026.2.22-2 < 2026.2.23 - Allowlist Bypass via sort Long-Option Abbreviation in tools.exec.safeBins | openclaw | openclaw | High | 8.8 | 2026-03-11 13:32:32 | Deep Dive |
| CVE-2026-29612 | OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding | OpenClaw | OpenClaw | Medium | 5.5 | 2026-03-05 22:00:11 | Deep Dive |
| CVE-2026-29613 | OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust | OpenClaw | OpenClaw | Medium | 5.9 | 2026-03-05 22:00:11 | Deep Dive |
| CVE-2026-29611 | OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling | OpenClaw | OpenClaw | High | 7.5 | 2026-03-05 22:00:10 | Deep Dive |
| CVE-2026-29610 | OpenClaw < 2026.2.14 - Command Hijacking via Unsafe PATH Handling | OpenClaw | OpenClaw | High | 8.8 | 2026-03-05 22:00:08 | Deep Dive |
| CVE-2026-29609 | OpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media Fetch | OpenClaw | OpenClaw | High | 7.5 | 2026-03-05 22:00:07 | Deep Dive |
| CVE-2026-29606 | OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility | OpenClaw | OpenClaw | Medium | 6.5 | 2026-03-05 22:00:06 | Deep Dive |
| CVE-2026-28486 | OpenClaw 2026.1.16-2 < 2026.2.14 - Path Traversal (Zip Slip) in Archive Extraction via Installation Commands | OpenClaw | OpenClaw | Medium | 6.1 | 2026-03-05 22:00:03 | Deep Dive |
| CVE-2026-28485 | OpenClaw 2026.1.5 < 2026.2.12 - Missing Authentication in Browser Control HTTP Endpoints | OpenClaw | OpenClaw | High | 8.4 | 2026-03-05 22:00:00 | Deep Dive |
| CVE-2026-28482 | OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters | OpenClaw | OpenClaw | High | 7.1 | 2026-03-05 21:59:57 | Deep Dive |
| CVE-2026-28480 | OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization | OpenClaw | OpenClaw | Medium | 6.5 | 2026-03-05 21:59:56 | Deep Dive |
| CVE-2026-28481 | OpenClaw < 2026.2.1 - Bearer Token Leakage via MS Teams Attachment Downloader Suffix Matching | OpenClaw | OpenClaw | Medium | 6.5 | 2026-03-05 21:59:56 | Deep Dive |
| CVE-2026-28479 | OpenClaw < 2026.2.15 - Cache Poisoning via Deprecated SHA-1 Hash in Sandbox Configuration | OpenClaw | OpenClaw | High | 7.5 | 2026-03-05 21:59:55 | Deep Dive |
| CVE-2026-28478 | OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering | OpenClaw | OpenClaw | High | 7.5 | 2026-03-05 21:59:54 | Deep Dive |
| CVE-2026-28477 | OpenClaw < 2026.2.14 - OAuth State Validation Bypass in Manual Chutes Login Flow | OpenClaw | OpenClaw | High | 7.1 | 2026-03-05 21:59:53 | Deep Dive |
| CVE-2026-28475 | OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison | OpenClaw | OpenClaw | Medium | 4.8 | 2026-03-05 21:59:51 | Deep Dive |
| CVE-2026-28476 | OpenClaw < 2026.2.14 - Server-Side Request Forgery in Tlon Extension Authentication | OpenClaw | OpenClaw | High | 8.3 | 2026-03-05 21:59:51 | Deep Dive |
| CVE-2026-28474 | OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing | OpenClaw | nextcloud-talk | Critical | 9.8 | 2026-03-05 21:59:50 | Deep Dive |
| CVE-2026-28473 | OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command | OpenClaw | OpenClaw | High | 8.1 | 2026-03-05 21:59:49 | Deep Dive |