Search for packages
| purl | pkg:npm/moltbot@0.1.0 |
| Next non-vulnerable version | 2026.1.27-beta.1 |
| Latest non-vulnerable version | 2026.1.27-beta.1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-d773-ax88-4kdh
Aliases: CVE-2026-28458 GHSA-mr32-vwc2-5j6h |
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access In affected versions, the Browser Relay `/cdp` WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay (via loopback WebSocket) and use CDP to access cookies from other open tabs and run JavaScript in the context of other tabs. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-05T21:58:52.252010+00:00 | GHSA Importer | Affected by | VCID-d773-ax88-4kdh | https://github.com/advisories/GHSA-mr32-vwc2-5j6h | 38.6.0 |
| 2026-06-02T04:50:07.436080+00:00 | GitLab Importer | Affected by | VCID-d773-ax88-4kdh | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/moltbot/CVE-2026-28458.yml | 38.6.0 |