CVE-2026-39983
published 2026-04-09CVE-2026-39983: basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to…
PriorityP260high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EPSS
2.19%
80.1th percentile
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| patrickjuchli | basic-ftp | < 5.2.1 | 5.2.1 |
| patrickjuchli | basic-ftp | >= 5.2.0 < 5.2.1 | 5.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →FTP command injection via CRLF sequences (\r\n) embedded in file path parameters passed to basic-ftp high-level APIs (cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), removeDir()). Detect \r\n within FTP path arguments on the control socket. ↗
- →The vulnerable code path is FtpContext.send(), which writes the command string directly to the control socket with \r\n appended without sanitising embedded CRLF in the path. Monitor FTP control-channel traffic for unexpected multi-command sequences originating from a single client request. ↗
- →The protectWhitespace() helper in basic-ftp only strips leading spaces and does not strip or reject embedded CRLF characters; any path argument containing \r\n bypasses this guard entirely. ↗
- ·Vulnerability affects basic-ftp versions prior to 5.2.1 only. Instances running 5.2.1 or later are not affected. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
patrickjuchli basic-ftp up to 5.2.0 path crlf injection
vuldb·2026-04-09·CVSS 8.6
CVE-2026-39983 [HIGH] patrickjuchli basic-ftp up to 5.2.0 path crlf injection
A vulnerability described as problematic has been identified in patrickjuchli basic-ftp up to 5.2.0. This vulnerability affects the function cd/remove/rename/uploadFrom/downloadTo/list/removeDir. The manipulation of the argument path results in crlf injection.
This vulnerability is cataloged as CVE-2026-39983. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is recommended.
GHSA
basic-ftp has FTP Command Injection via CRLF
ghsa·2026-04-08
CVE-2026-39983 [HIGH] CWE-93 basic-ftp has FTP Command Injection via CRLF
basic-ftp has FTP Command Injection via CRLF
## Summary
`basic-ftp` version `5.2.0` allows FTP command injection via CRLF sequences (`\r\n`) in file path parameters passed to high-level path APIs such as `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The library's `protectWhitespace()` helper only handles leading spaces and returns other paths unchanged, while `FtpContext.send()` writes the resulting command string directly to the control socket with `\r\n` appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.
## Affected product
| Product | Affected versions | Fixed version |
| --- | --- | --- |
| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |
## Vulnerabilit
OSV
basic-ftp has FTP Command Injection via CRLF
osv·2026-04-08
CVE-2026-39983 [HIGH] basic-ftp has FTP Command Injection via CRLF
basic-ftp has FTP Command Injection via CRLF
## Summary
`basic-ftp` version `5.2.0` allows FTP command injection via CRLF sequences (`\r\n`) in file path parameters passed to high-level path APIs such as `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The library's `protectWhitespace()` helper only handles leading spaces and returns other paths unchanged, while `FtpContext.send()` writes the resulting command string directly to the control socket with `\r\n` appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands.
## Affected product
| Product | Affected versions | Fixed version |
| --- | --- | --- |
| basic-ftp (npm) | 5.2.0 (confirmed) | no fix available as of 2026-04-04 |
## Vulnerabilit
Red Hat
basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters
vendor_redhat·2026-04-09·CVSS 8.6
CVE-2026-39983 [HIGH] CWE-93 basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters
basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters
A flaw was found in basic-ftp, an FTP client for Node.js. A remote attacker can exploit this vulnerability by injecting Carriage Return Line Feed (CRLF) sequences into file path parameters used by high-level APIs. This allows the attacker to split a single intended FTP command into multiple commands. Such command injection can lead to the execution of arbitrary commands, potentially compromising the integrity and availability of data or the system.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: rhdh/r
No detection rules found.
No public exploits indexed.
Wiz
GHSA-qqq7-4hxc-x63c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-qqq7-4hxc-x63c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-qqq7-4hxc-x63c :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Shared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration.
A crafted shared reply MEDIA reference could cause another channel to read a local file path as trusted generated media.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=2026.4.4
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @threalwinky for reporting.
Source : NVD
## 5.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technolo
Wiz
CVE-2026-34510 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34510 [MEDIUM] CVE-2026-34510 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34510 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.
Source : NVD
## 6.9
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
openclaw
S
Wiz
CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39409 [MEDIUM] CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39409 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.
Source : NVD
## 6.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS
Wiz
GHSA-846p-hgpv-vphc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-846p-hgpv-vphc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-846p-hgpv-vphc :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host.
## Impact
Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
2c45b06afdd6f7c621038b5419d8e661cff34a7f
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.9
Score
Published April 7, 2
Wiz
GHSA-m34q-h93w-vg5x Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-m34q-h93w-vg5x Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-m34q-h93w-vg5x :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
remoteWorkspaceDir
remoteAgentWorkspaceDir
## Impact
If an attacker could influence those OpenShell config values, mirror sync could delete the contents of an unintended remote directory and replace them with uploaded workspace data. This was a destructive remote-path bug in the mirror-sync path.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
b21c9840c2e38f4bb338d031511b479d5f07ca25
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.9
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit
Wiz
GHSA-2f7j-rp58-mr42 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-2f7j-rp58-mr42 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-2f7j-rp58-mr42 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
connect
configPath
stateDir
## Impact
A non-admin client could recover host-specific filesystem paths and related deployment metadata, aiding host fingerprinting and chained attacks. This was an information-disclosure issue, not a direct authorization bypass.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
676b748056b5efca6f1255708e9dd9469edf5e2e
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2026-39983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39983 [MEDIUM] CVE-2026-39983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39983 :
JavaScript vulnerability analysis and mitigation
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Source : NVD
## 8.6
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
JavaS
Wiz
GHSA-5h3f-885m-v22w Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-5h3f-885m-v22w Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5h3f-885m-v22w :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Existing WS sessions survive shared gateway token rotation.
Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<= 2026.4.1
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @kexinoh of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Wiz
CVE-2026-35525 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-35525 [HIGH] CVE-2026-35525 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35525 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based. Because of that, a file like partials/link.liquid passes the directory containment check as long as its pathname is under the allowed root. If link.liquid is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target. So the restriction is applied to the path string that was requested, not to the file that is actually r
Wiz
CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.2
CVE-2026-35041 [MEDIUM] CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35041 :
JavaScript vulnerability analysis and mitigation
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Source : NVD
## 4.2
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
GHSA-w9j9-w4cp-6wgr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-w9j9-w4cp-6wgr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w9j9-w4cp-6wgr :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
OpenClaw Host-Exec Environment Variable Injection.
Host exec could inherit environment variables that influence interpreters, shells, or build tools.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<= 2026.3.28
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @wsparks-vc for reporting.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has
Wiz
GHSA-83f3-hh45-vfw9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-83f3-hh45-vfw9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-83f3-hh45-vfw9 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
ws://
## Impact
A user who followed a forged discovery result or scanned a crafted setup code could disclose stored gateway credentials to an attacker-controlled endpoint in plaintext. This was a transport-security bug in the Android gateway client.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
a941a4fef9bc43b2973c92d0dcff5b8a426210c5
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2025-62718 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-62718 [CRITICAL] CVE-2025-62718 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62718 :
JavaScript vulnerability analysis and mitigation
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
Source : NVD
## 9.3
Sc
Wiz
CVE-2026-34765 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-34765 [MEDIUM] CVE-2026-34765 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34765 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust le
Wiz
CVE-2026-35040 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35040 [MEDIUM] CVE-2026-35040 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35040 :
JavaScript vulnerability analysis and mitigation
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
Wiz
CVE-2026-34781 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-34781 [LOW] CVE-2026-34781 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34781 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Source : NVD
## 2.8
Score
Publish
Wiz
GHSA-w6wx-jq6j-6mcj Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-w6wx-jq6j-6mcj Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w6wx-jq6j-6mcj :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
pnpm dlx
pnpm exec
pnpm dlx
## Impact
An operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
176c059b05357df1bc09d4328a2380670859eeff
pnpm dlx
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.9
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due D
Wiz
CVE-2026-39859 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39859 [MEDIUM] CVE-2026-39859 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39859 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.
Source : NVD
## 6.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Wiz
GHSA-4f8g-77mw-3rxc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-4f8g-77mw-3rxc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4f8g-77mw-3rxc :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
auth: gateway
operator.read
operator.write
## Affected Packages / Versions
openclaw
2026.1.29
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @smaeljaish771 for reporting.
Source : NVD
## 2
Score
Published April 9, 2026
Severity LOW
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity LOW Has Fix Added at: Apr 09, 2026
Wiz
CVE-2026-39321 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39321 [MEDIUM] CVE-2026-39321 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39321 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
Source : NVD
## 6.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit No
Has C
Wiz
GHSA-whf9-3hcx-gq54 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-whf9-3hcx-gq54 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-whf9-3hcx-gq54 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
device.token.rotate
## Affected Packages / Versions
openclaw
<= v2026.04.01
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @nicky-cc of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
n
Wiz
GHSA-767m-xrhc-fxm7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-767m-xrhc-fxm7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-767m-xrhc-fxm7 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send
## Current Maintainer Triage
Status: narrow
Normalized severity: medium
Assessment: Real shipped operator.write to admin-class Telegram config or cron persistence bug, but it is an authenticated sink-specific escalation and high is too high given the narrower scope.
## Affected Packages / Versions
openclaw
2026.3.31
= 2026.3.28
v2026.3.28
## Fix Commit(s)
b7d70ade3b9900dbe97bd73be9c02e924ff3c986
## Release Process Note
2026.3.28
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @zpbrent for reporting.
Sou
Wiz
GHSA-qx8j-g322-qj6m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-qx8j-g322-qj6m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-qx8j-g322-qj6m :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
fetchWithSsrFGuard
## Affected Packages / Versions
openclaw
<2026.3.31
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @BG0ECV for reporting.
Source : NVD
## 7.4
Score
Published April 9, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessmen
Wiz
GHSA-jj6q-rrrf-h66h Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-jj6q-rrrf-h66h Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-jj6q-rrrf-h66h :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences.
## Impact
The affected paths exposed a low-severity timing side channel on secret comparison. The issue did not by itself demonstrate auth bypass, but it weakened the intended constant-time handling for shared secrets.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
be10ecef770a4654519869c3641bbb91087c8c7b
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.3
Wiz
GHSA-67mf-f936-ppxf Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-67mf-f936-ppxf Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-67mf-f936-ppxf :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
node.pair.approve
operator.write
operator.pairing
## Affected Packages / Versions
openclaw
<= v2026.04.01
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @nicky-cc of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting.
Source : NVD
## 6.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libr
Wiz
GHSA-3fv3-6p2v-gxwj Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-3fv3-6p2v-gxwj Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3fv3-6p2v-gxwj :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths.
QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<= 2026.4.2
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @adithyan-ak for reporting.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Pub
Wiz
GHSA-4p4f-fc8q-84m3 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-4p4f-fc8q-84m3 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4p4f-fc8q-84m3 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check.
## Impact
A loaded attacker-controlled page could inject unauthorized non-owner agent.request runs into the active iOS node session, polluting session state and consuming budget. The demonstrated impact did not include owner-only actions or arbitrary host execution.
## Affected Packages / Versions
Package: openclaw (npm)
Affected versions: = 2026.4.2
Latest published npm version: 2026.4.1
## Fix Commit(s)
49d08382a90f
Wiz
CVE-2026-39381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39381 [MEDIUM] CVE-2026-39381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39381 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Re
Wiz
GHSA-5hff-46vh-rxmw Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-5hff-46vh-rxmw Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5hff-46vh-rxmw :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
POST /sessions/:sessionKey/kill
## Impact
A read-scoped caller could perform a write-class control-plane mutation and interrupt delegated work. This was an authorization bug on the HTTP scope boundary, not a shared-secret compatibility exception.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
54a0878517167c6e49900498cf77420dadb74beb
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-39974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-39974 [HIGH] CVE-2026-39974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39974 :
JavaScript vulnerability analysis and mitigation
n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP
Wiz
GHSA-4g5x-2jfc-xm98 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-4g5x-2jfc-xm98 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4g5x-2jfc-xm98 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Tlon media downloads can bypass core safety limits and exhaust disk
## Current Maintainer Triage
Status: narrow
Normalized severity: low
Assessment: Shipped v2026.3.28 Tlon media downloads bypassed core size/count/cleanup limits, but this is availability-only resource exhaustion in a bundled plugin path, so low.
## Affected Packages / Versions
openclaw
2026.3.31
= 2026.3.31
v2026.3.31
## Fix Commit(s)
2194587d70d2aef863508b945319c5a7c88b12ce
## Release Process Note
2026.3.31
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @AntAISecurityLab for reporting.
Source : NVD
## 6.3
Score
Publish
Wiz
GHSA-5478-66c3-rhxr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
[MEDIUM] GHSA-5478-66c3-rhxr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5478-66c3-rhxr :
JavaScript vulnerability analysis and mitigation
## 8.7
Score
Published April 8, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@chenglou/pretext
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-39983
HIGH
8.6
JavaScript
Wiz
CVE-2026-39356 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39356 [MEDIUM] CVE-2026-39356 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39356 :
JavaScript vulnerability analysis and mitigation
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
Source : NVD
## 7.5
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
H
Wiz
GHSA-ccx3-fw7q-rr2r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-ccx3-fw7q-rr2r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-ccx3-fw7q-rr2r :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Multiple Code Paths Missing Base64 Pre-Allocation Size Checks.
Several base64 decode paths could allocate before enforcing decoded-size limits.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=v2026.4.2
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @zsxsoft and @KeenSecurityLab for reporting.
Source : NVD
## 5.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Explo
Wiz
CVE-2026-34511 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-34511 [MEDIUM] CVE-2026-34511 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34511 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.
Source : NVD
## 6
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 6.0
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity
Wiz
GHSA-3q42-xmxv-9vfr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-3q42-xmxv-9vfr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3q42-xmxv-9vfr :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
## Current Maintainer Triage
Status: narrow
Normalized severity: medium
Assessment: Real shipped operator.write to admin-class Talk Voice config persistence bug, but it is the same narrow authenticated persistence class and should be normalized below high.
## Affected Packages / Versions
openclaw
2026.3.31
= 2026.3.28
v2026.3.28
## Fix Commit(s)
e34694733fc64931ed4a543c73d84ad3435d5df1
## Release Process Note
2026.3.28
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @zpbrent for reporting.
Source : NVD
Wiz
CVE-2026-39412 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39412 [MEDIUM] CVE-2026-39412 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39412 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
Wiz
GHSA-7437-7hg8-frrw Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-7437-7hg8-frrw Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7437-7hg8-frrw :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class).
Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
< 2026.4.8
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @boy-hack of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting
Wiz
CVE-2026-39942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39942 [MEDIUM] CVE-2026-39942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39942 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.
Source : NVD
## 8.5
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affe
Wiz
GHSA-26pp-8wgv-hjvm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
[MEDIUM] GHSA-26pp-8wgv-hjvm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-26pp-8wgv-hjvm :
JavaScript vulnerability analysis and mitigation
## Summary
setCookie()
serialize()
serializeSigned()
## Details
setCookie()
serialize()
serializeSigned()
\r
\n
Set-Cookie
Set-Cookie: legit
X-Injected: evil=value
However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.
As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.
## Impact
setCookie()
serialize()
serializeSigned()
Set-Cookie
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release
Wiz
GHSA-vfw7-6rhc-6xxg Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-4039 [HIGH] GHSA-vfw7-6rhc-6xxg Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vfw7-6rhc-6xxg :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
## Current Maintainer Triage
Status: open
Normalized severity: high
Assessment: Real shipped malicious-workspace-config env injection in the CLI backend runner, fixed by sanitizing backend env before spawn and shipped in v2026.3.24, so advisory stays open until published.
## Affected Packages / Versions
openclaw
2026.3.31
= 2026.3.24
v2026.3.24
## Fix Commit(s)
c2fb7f1948c3226732a630256b5179a60664ec24
## Release Process Note
2026.3.24
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @YLChen-007 for
Wiz
GHSA-vvjj-xcjg-gr5g Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-vvjj-xcjg-gr5g Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vvjj-xcjg-gr5g :
JavaScript vulnerability analysis and mitigation
## Summary
name
name
\r\n
## Details
lib/smtp-connection/index.js
name
// lib/smtp-connection/index.js, line 71
this.name = this.options.name || this._getHostname();
// line 1336
this._sendCommand('EHLO ' + this.name);
_sendCommand
\r\n
this._socket.write(Buffer.from(str + '\r\n', 'utf-8'));
name
\r\n
envelope.from
envelope.to
\r\n
envelope.size
name
name
size
name
## PoC
const nodemailer = require('nodemailer');
const net = require('net');
// Simple SMTP server to observe injected commands
const server = net.createServer(socket => {
socket.write('220 test ESMTP\r\n');
socket.on('data', data => {
const lines = data.toString().split('\r\n').filter(l => l);
lines.forEach(line => {
console.l
Wiz
GHSA-5g3j-89fr-r2vp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
[MEDIUM] GHSA-5g3j-89fr-r2vp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5g3j-89fr-r2vp :
JavaScript vulnerability analysis and mitigation
## Summary
skilleton
0.3.1
0.3.1
## Affected Versions
=0.3.1
## Impact
0.3.1
replacing vulnerable parsing behavior with deterministic logic,
validating subpaths earlier before allocating git worktree resources,
adding stricter and broader regression tests around these flows.
## Severity
Low to Moderate (project-maintainer assessed)
## Mitigation
0.3.1
## Workarounds
No complete workaround is recommended other than upgrading.
## References
fix/security-code-scanning-alerts
fix(security): harden git arg handling and path validation
fix(security): use while loop in normalizeRepoUrl instead of regex
Security Policy: SECURITY.md
## Credits
Detected through automated code scanning an
Wiz
CVE-2026-39407 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39407 [MEDIUM] CVE-2026-39407 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39407 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-39865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39865 [MEDIUM] CVE-2026-39865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39865 :
JavaScript vulnerability analysis and mitigation
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.
Source : NVD
## 5.9
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
GHSA-25wv-8phj-8p7r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-25wv-8phj-8p7r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-25wv-8phj-8p7r :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths.
Concurrent asynchronous shared-secret auth attempts could race the per-key rate-limit budget.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=2026.4.2
2026.4.4
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @Telecaster2147 for reporting.
Source : NVD
## 2.1
Score
Published April 9, 2026
Severity LOW
CNA Score N/A
Affected Technologies
OpenClaw (
Wiz
GHSA-wwfp-w96m-c6x8 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-wwfp-w96m-c6x8 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wwfp-w96m-c6x8 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.
## Impact
This issue could deny new pairing or onboarding on another account until an existing request was approved or expired. It was an availability-only bug; it did not allow cross-account approval, data access, or authorization bypass.
## Affected Packages / Versions
openclaw
>= 2026.2.26, = 2026.3.31
2026.4.1
## Fix Commit(s)
9bc1f896c8cd325dd4761681e9bdb8c425f69785
## Release Process Note
Wiz
GHSA-vr5g-mmx7-h897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-vr5g-mmx7-h897 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vr5g-mmx7-h897 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Browser SSRF Policy Bypass via Interaction-Triggered Navigation.
Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<= 2026.4.5
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @ccreater222 and @KeenSecurityLab for reporting.
Source : NVD
## 6.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdb
Wiz
GHSA-98ch-45wp-ch47 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-98ch-45wp-ch47 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-98ch-45wp-ch47 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.
## Impact
An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.9
Score
Published April 7, 2026
Wiz
GHSA-cmfr-9m2r-xwhq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-cmfr-9m2r-xwhq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cmfr-9m2r-xwhq :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
node.invoke(browser.proxy)
browser.request
## Affected Packages / Versions
openclaw
<= v2026.04.01
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @nicky-cc of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
o
Wiz
CVE-2026-39943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39943 [MEDIUM] CVE-2026-39943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39943 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
Source : NVD
## 6.5
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
Wiz
GHSA-2qrv-rc5x-2g2h Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-2qrv-rc5x-2g2h Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-2qrv-rc5x-2g2h :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled.
## Impact
A cloned workspace could turn channel setup for a built-in channel into unintended in-process code execution from an untrusted workspace plugin. This bypassed the intended workspace-plugin trust boundary during setup and login.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0
## Release Process Note
main
Wiz
GHSA-5fc7-f62m-8983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-5fc7-f62m-8983 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5fc7-f62m-8983 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix).
Feishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=2026.4.3
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @Rosayxy for reporting.
Source : NVD
## 2.1
Score
Published April 9, 2026
Severity LOW
CNA Score N/A
Affected T
Wiz
CVE-2026-34148 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34148 [HIGH] CVE-2026-34148 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34148 :
JavaScript vulnerability analysis and mitigation
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Pub
Wiz
GHSA-5wj5-87vq-39xm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-5wj5-87vq-39xm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5wj5-87vq-39xm :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement.
A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=2026.4.5
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @zsxsoft and @KeenSecurityLab for reporting.
Source : NVD
## 7.3
Score
Published April 9, 2026
Severity HIGH
CNA
Wiz
CVE-2026-39406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39406 [MEDIUM] CVE-2026-39406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39406 :
JavaScript vulnerability analysis and mitigation
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploi
Wiz
GHSA-fh32-73r9-rgh5 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-fh32-73r9-rgh5 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-fh32-73r9-rgh5 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
localhost.
## Impact
A hostile discovery response could retarget authenticated browser control toward a localhost-resolving endpoint on the OpenClaw host. This weakened the existing remote-CDP loopback protection and could expose localhost-backed browser state.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
9c22d636697336a6b22b0ae24798d8b8325d7828
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
GHSA-fqrj-m88p-qf3v Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-fqrj-m88p-qf3v Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-fqrj-m88p-qf3v :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
event_name
message_id
## Impact
An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access.
## Affected Packages / Versions
openclaw
>= 2026.2.19, = 2026.3.31
2026.4.1
## Fix Commit(s)
4d038bb242c11f39e45f6a4bde400e5fd42e4ebf
7cea7c29705b188b464cc9cdc107c275b94b2a72
## Release Process Note
2026.3.31
2026.4.1
Source : NVD
## 2.3
Score
Published April 7, 2026
Severity LOW
CNA Score N/A
Affected Technologies
OpenClaw (former
Wiz
GHSA-h43v-27wg-5mf9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-h43v-27wg-5mf9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h43v-27wg-5mf9 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.3.31, the Nostr DM ingress path could issue pairing challenges before validating the event signature. A forged DM could create a pending pairing entry and trigger a pairing-reply attempt before signature rejection.
## Impact
An unauthenticated remote sender could consume shared pairing capacity and trigger bounded relay/logging work on the Nostr channel. This issue did not grant message decryption, pairing approval, or broader authorization bypass.
## Affected Packages / Versions
openclaw
>= 2026.3.22, = 2026.3.31
2026.4.1
## Fix Commit(s)
4ee742174f36b5445703e3b1ef2fbd6ae6700fa4
## Release Process Note
2026.3.31
2026.4.1
Source : NV
Wiz
CVE-2026-39885 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39885 [MEDIUM] CVE-2026-39885 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39885 :
JavaScript vulnerability analysis and mitigation
FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity H
Wiz
GHSA-42mx-vp8m-j7qh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-42mx-vp8m-j7qh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-42mx-vp8m-j7qh :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
mirror
## Current Maintainer Triage
Status: narrow
Normalized severity: medium
Assessment: Real on shipped = 2026.3.28
v2026.3.28
## Fix Commit(s)
c02ee8a3a4cb390b23afdf21317aa8b2096854d1
## Release Process Note
2026.3.28
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @tdjackey for reporting.
Source : NVD
## 6.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation
Wiz
CVE-2026-34166 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-34166 [LOW] CVE-2026-34166 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34166 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3.
Source : NVD
## 3.7
Score
Published April 8, 2026
Se
Wiz
GHSA-3vvq-q2qc-7rmp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-3vvq-q2qc-7rmp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3vvq-q2qc-7rmp :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
B-M3: ClawHub package downloads are not enforced with integrity verification.
ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<= 2026.4.1
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @kexinoh of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting.
Source : NVD
## 6.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Scor
Wiz
GHSA-rxmx-g7hr-8mx4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-rxmx-g7hr-8mx4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-rxmx-g7hr-8mx4 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.
## Impact
Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.
## Affected Packages / Versions
openclaw
= 2026.4.2
2026.4.1
## Fix Commit(s)
ef7c553dd16ee579f1d1a363f5881a99726c1412
## Release Process Note
main
2026.4.2
2026.4.2
Source : NVD
## 6.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Wiz
GHSA-h2v7-xc88-xx8c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-h2v7-xc88-xx8c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h2v7-xc88-xx8c :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
/phone arm
/phone disarm
operator.admin
## Current Maintainer Triage
Status: open
Normalized severity: medium
Assessment: Maintainers accepted this issue, fixed it in aa66ae1fc797d3298cc409ed2c5da69a89950a45 on 2026-03-27, and that fix shipped in v2026.3.28, so normalize it as a fixed released draft rather than a close-by-trust-model call.
## Affected Packages / Versions
openclaw
2026.3.31
= 2026.3.28
v2026.3.28
## Fix Commit(s)
aa66ae1fc797d3298cc409ed2c5da69a89950a45
## Release Process Note
2026.3.28
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @AntAISecurityLab for reporting.
Source :
Wiz
GHSA-68x5-xx89-w9mm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-68x5-xx89-w9mm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-68x5-xx89-w9mm :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
resolvedAuth closure becomes stale after config reload.
After a config reload, newly accepted gateway connections could continue using stale resolved auth state.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<= 2026.4.1
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @kexinoh of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting.
Source : NVD
## 5.1
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Techno
Wiz
CVE-2026-35613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-35613 [MEDIUM] CVE-2026-35613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35613 :
JavaScript vulnerability analysis and mitigation
coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1.
Source : NVD
## 5.1
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Has Publ
Wiz
GHSA-q2gc-xjqw-qp89 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-q2gc-xjqw-qp89 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-q2gc-xjqw-qp89 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts.
The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=2026.4.2
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @zsxsoft and @KeenSecurityLab for reporting.
Source : NVD
## 5.9
Score
Published April 9, 2026
Severity MEDIU
Wiz
CVE-2026-39411 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39411 [MEDIUM] CVE-2026-39411 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39411 :
JavaScript vulnerability analysis and mitigation
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.
Source : NVD
## 5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
JavaScr
Wiz
GHSA-fwjq-xwfj-gv75 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-fwjq-xwfj-gv75 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-fwjq-xwfj-gv75 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
session_status
tools.sessions.visibility
## Current Maintainer Triage
Status: narrow
Normalized severity: medium
Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.
## Affected Packages / Versions
openclaw
2026.3.31
= 2026.3.31
v2026.3.31
## Fix Commit(s)
4d369a3400dc9b737fbe8daa63f09d909ce7beb8
## Release Process Note
2026.3.31
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @tdjackey for reporting.
Source : NVD
## 6.3
Score
Publis
Wiz
GHSA-vc32-h5mq-453v Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-vc32-h5mq-453v Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vc32-h5mq-453v :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
/allowlist omits owner-only enforcement for cross-channel allowlist writes.
An authorized non-owner sender could attempt allowlist writes against a different channel.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=v2026.4.1
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @zsxsoft and @KeenSecurityLab for reporting.
Source : NVD
## 4.8
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Claw
Wiz
CVE-2026-39408 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39408 [MEDIUM] CVE-2026-39408 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39408 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
Source : NVD
## 5.9
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probabilit
Wiz
CVE-2026-39397 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39397 [MEDIUM] CVE-2026-39397 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39397 :
JavaScript vulnerability analysis and mitigation
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
Source : NVD
## 9.4
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
GHSA-cm8v-2vh9-cxf3 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-cm8v-2vh9-cxf3 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cm8v-2vh9-cxf3 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant).
Git plumbing environment variables were not removed before host exec and could redirect Git operations.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
<=2026.3.30
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @boy-hack of Tencent zhuque Lab ( https://github.com/Tencent/AI-Infra-Guard ) for reporting.
Source : NVD
## 2
Score
Published April 9, 2026
Se
Wiz
GHSA-gfmx-pph7-g46x Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-gfmx-pph7-g46x Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-gfmx-pph7-g46x :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
System:
exec-event
## Affected Packages / Versions
openclaw
<= 2026.4.2
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @tdjackey for reporting.
Source : NVD
## 7.3
Score
Published April 9, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 09, 2026
## Get a CVE risk asses
Wiz
GHSA-jf56-mccx-5f3f Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-jf56-mccx-5f3f Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-jf56-mccx-5f3f :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
/hooks/wake
wake
System:
## Affected Packages / Versions
openclaw
<= 2026.4.2
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @tdjackey for reporting.
Source : NVD
## 8.5
Score
Published April 9, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 09, 2026
## Get a CVE ris
Wiz
GHSA-vjx8-8p7h-82gr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-vjx8-8p7h-82gr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vjx8-8p7h-82gr :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
Marketplace Plugin Download Follows Redirects Without SSRF Protection
## Current Maintainer Triage
Status: open
Normalized severity: medium
Assessment: v2026.3.28 still uses bare redirect-following fetch in src/plugins/marketplace.ts for marketplace archives, and fixed-on-main only does not change that shipped SSRF exposure.
## Affected Packages / Versions
openclaw
2026.3.31
= 2026.3.31
v2026.3.31
## Fix Commit(s)
2ce44ca6a1302b166a128abbd78f72114f2f4f52
## Release Process Note
2026.3.31
This draft looks ready for final maintainer disposition or publication, not additional code-fix work.Thanks @AntAISecurityLab for reporting.
Source : NVD
## 6.9
S
Wiz
CVE-2026-39410 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39410 [MEDIUM] CVE-2026-39410 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39410 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.
Source : NVD
## 4.8
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Proba
Wiz
GHSA-w8g9-x8gx-crmm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-w8g9-x8gx-crmm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w8g9-x8gx-crmm :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Impact
Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable.
Strict browser SSRF checks could miss Playwright request-time navigation to private targets.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
openclaw
2026.3.8
2026.4.8
## Fix
main
d7c3210cd6f5fdfdc1beff4c9541673e814354d5
## Verification
main
## Credits
Thanks @smaeljaish771 for reporting.
Source : NVD
## 6.9
Score
Published April 9, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Cla
Wiz
GHSA-wpc6-37g7-8q4w Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
[HIGH] GHSA-wpc6-37g7-8q4w Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wpc6-37g7-8q4w :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
--rcfile
--init-file
--startup-file
## Impact
This issue only applied when exec allowlist or allow-always behavior was enabled and the attacker could steer a shell-wrapper command shape that used init-file options. The result was a narrower allowlist bypass, not generic arbitrary command execution from an untrusted boundary.
## Affected Packages / Versions
openclaw
= 2026.3.31
2026.4.1
## Fix Commit(s)
0c8375424620e12777ef24c162eedc7e9fcfd7e3
## Release Process Note
2026.3.31
2026.4.1
Source : NVD
## 6.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit
Wiz
CVE-2026-39398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39398 [MEDIUM] CVE-2026-39398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39398 :
JavaScript vulnerability analysis and mitigation
Rejected reason: The affected product and advisory are not public.
Source : NVD
Published April 9, 2026
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw-claude-bridge
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-39315 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39315 [MEDIUM] CVE-2026-39315 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39315 :
JavaScript vulnerability analysis and mitigation
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes
Bugzilla
CVE-2026-39983 basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters
bugzilla·2026-04-09·CVSS 8.6
CVE-2026-39983 [HIGH] CVE-2026-39983 basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters
CVE-2026-39983 basic-ftp: basic-ftp: Command injection via CRLF sequences in file path parameters
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4bhttps://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.1https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6qhttps://access.redhat.com/errata/RHSA-2026:13826https://access.redhat.com/errata/RHSA-2026:9742https://access.redhat.com/security/cve/CVE-2026-39983https://bugzilla.redhat.com/show_bug.cgi?id=2456971https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6qhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39983.json
2026-04-09
Published