{"url":"http://public2.vulnerablecode.io/api/packages/936811?format=json","purl":"pkg:npm/clawdbot@2026.1.4","type":"npm","namespace":"","name":"clawdbot","version":"2026.1.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69381?format=json","vulnerability_id":"VCID-1jkg-w79j-93bj","summary":"OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28480","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14145","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14027","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28480"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128","reference_id":"9e147f00b48e63e7be6964e0e2a97f2980854128","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28480","reference_id":"CVE-2026-28480","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28480"},{"reference_url":"https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3","reference_id":"e3b432e481a96b8fd41b91273818e514074e05c3","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/"}],"url":"https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3"},{"reference_url":"https://github.com/advisories/GHSA-mj5r-hh7j-4gxf","reference_id":"GHSA-mj5r-hh7j-4gxf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj5r-hh7j-4gxf"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf","reference_id":"GHSA-mj5r-hh7j-4gxf","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization","reference_id":"openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38580?format=json","purl":"pkg:npm/clawdbot@2026.1.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8ezs-t8mg-3fb2"},{"vulnerability":"VCID-cnc5-ge9z-6udc"},{"vulnerability":"VCID-dq3p-v699-nudj"},{"vulnerability":"VCID-k6g9-z95b-fbbf"},{"vulnerability":"VCID-vccu-ydtz-83g6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24"}],"aliases":["CVE-2026-28480","GHSA-mj5r-hh7j-4gxf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1jkg-w79j-93bj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69236?format=json","vulnerability_id":"VCID-3328-g8jv-xuey","summary":"OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28478","reference_id":"","reference_type":"","scores":[{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34202","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.3438","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28478"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930","reference_id":"3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:11:57Z/"}],"url":"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28478","reference_id":"CVE-2026-28478","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28478"},{"reference_url":"https://github.com/advisories/GHSA-q447-rj3r-2cgh","reference_id":"GHSA-q447-rj3r-2cgh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q447-rj3r-2cgh"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh","reference_id":"GHSA-q447-rj3r-2cgh","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:11:57Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering","reference_id":"openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:11:57Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38580?format=json","purl":"pkg:npm/clawdbot@2026.1.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8ezs-t8mg-3fb2"},{"vulnerability":"VCID-cnc5-ge9z-6udc"},{"vulnerability":"VCID-dq3p-v699-nudj"},{"vulnerability":"VCID-k6g9-z95b-fbbf"},{"vulnerability":"VCID-vccu-ydtz-83g6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24"}],"aliases":["CVE-2026-28478","GHSA-q447-rj3r-2cgh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3328-g8jv-xuey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66247?format=json","vulnerability_id":"VCID-8ezs-t8mg-3fb2","summary":"OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25157","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00753","published_at":"2026-06-12T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00756","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25157"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25157","reference_id":"CVE-2026-25157","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25157"},{"reference_url":"https://github.com/advisories/GHSA-q284-4pvr-m585","reference_id":"GHSA-q284-4pvr-m585","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q284-4pvr-m585"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585","reference_id":"GHSA-q284-4pvr-m585","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:09Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38473?format=json","purl":"pkg:npm/clawdbot@2026.1.29","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29"}],"aliases":["CVE-2026-25157","GHSA-q284-4pvr-m585"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8ezs-t8mg-3fb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212594?format=json","vulnerability_id":"VCID-8yw9-q7bt-2ka3","summary":"OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch","references":[{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432"},{"reference_url":"https://github.com/openclaw/openclaw/pull/16243","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/pull/16243"},{"reference_url":"https://github.com/advisories/GHSA-chm2-m3w2-wcxm","reference_id":"GHSA-chm2-m3w2-wcxm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-chm2-m3w2-wcxm"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm","reference_id":"GHSA-chm2-m3w2-wcxm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38580?format=json","purl":"pkg:npm/clawdbot@2026.1.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8ezs-t8mg-3fb2"},{"vulnerability":"VCID-cnc5-ge9z-6udc"},{"vulnerability":"VCID-dq3p-v699-nudj"},{"vulnerability":"VCID-k6g9-z95b-fbbf"},{"vulnerability":"VCID-vccu-ydtz-83g6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24"}],"aliases":["GHSA-chm2-m3w2-wcxm"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8yw9-q7bt-2ka3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69191?format=json","vulnerability_id":"VCID-bzw8-fhq2-pyc2","summary":"OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28469","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13168","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.1307","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28469"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e","reference_id":"61d59a802869177d9cef52204767cd83357ab79e","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:01:17Z/"}],"url":"https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28469","reference_id":"CVE-2026-28469","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28469"},{"reference_url":"https://github.com/advisories/GHSA-rq6g-px6m-c248","reference_id":"GHSA-rq6g-px6m-c248","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rq6g-px6m-c248"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248","reference_id":"GHSA-rq6g-px6m-c248","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:01:17Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity","reference_id":"openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:01:17Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38580?format=json","purl":"pkg:npm/clawdbot@2026.1.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8ezs-t8mg-3fb2"},{"vulnerability":"VCID-cnc5-ge9z-6udc"},{"vulnerability":"VCID-dq3p-v699-nudj"},{"vulnerability":"VCID-k6g9-z95b-fbbf"},{"vulnerability":"VCID-vccu-ydtz-83g6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24"}],"aliases":["CVE-2026-28469","GHSA-rq6g-px6m-c248"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzw8-fhq2-pyc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212545?format=json","vulnerability_id":"VCID-cnc5-ge9z-6udc","summary":"Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25253","reference_id":"CVE-2026-25253","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25253"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq","reference_id":"GHSA-g8p2-7wf7-98mq","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq"},{"reference_url":"https://github.com/advisories/GHSA-r2c6-8jc8-g32w","reference_id":"GHSA-r2c6-8jc8-g32w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2c6-8jc8-g32w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38473?format=json","purl":"pkg:npm/clawdbot@2026.1.29","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29"}],"aliases":["GHSA-r2c6-8jc8-g32w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cnc5-ge9z-6udc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70877?format=json","vulnerability_id":"VCID-dkm7-phky-ckct","summary":"OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26317","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05884","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05858","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26317"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3","reference_id":"b566b09f81e2b704bf9398d8d97d5f7a90aa94c3","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:31Z/"}],"url":"https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26317","reference_id":"CVE-2026-26317","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26317"},{"reference_url":"https://github.com/advisories/GHSA-3fqr-4cg8-h96q","reference_id":"GHSA-3fqr-4cg8-h96q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3fqr-4cg8-h96q"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q","reference_id":"GHSA-3fqr-4cg8-h96q","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:31Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14","reference_id":"v2026.2.14","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:31Z/"}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38580?format=json","purl":"pkg:npm/clawdbot@2026.1.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8ezs-t8mg-3fb2"},{"vulnerability":"VCID-cnc5-ge9z-6udc"},{"vulnerability":"VCID-dq3p-v699-nudj"},{"vulnerability":"VCID-k6g9-z95b-fbbf"},{"vulnerability":"VCID-vccu-ydtz-83g6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24"}],"aliases":["CVE-2026-26317","GHSA-3fqr-4cg8-h96q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dkm7-phky-ckct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82593?format=json","vulnerability_id":"VCID-dq3p-v699-nudj","summary":"OpenClaw (formerly  Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24763","reference_id":"","reference_type":"","scores":[{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27717","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00102","scoring_system":"epss","scoring_elements":"0.27515","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24763"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75","reference_id":"771f23d36b95ec2204cc9a0054045f5d8439ea75","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T15:54:31Z/"}],"url":"https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24763","reference_id":"CVE-2026-24763","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24763"},{"reference_url":"https://github.com/advisories/GHSA-mc68-q9jw-2h3v","reference_id":"GHSA-mc68-q9jw-2h3v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mc68-q9jw-2h3v"},{"reference_url":"https://github.com/clawdbot/clawdbot/security/advisories/GHSA-mc68-q9jw-2h3v","reference_id":"GHSA-mc68-q9jw-2h3v","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/clawdbot/clawdbot/security/advisories/GHSA-mc68-q9jw-2h3v"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v","reference_id":"GHSA-mc68-q9jw-2h3v","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T15:54:31Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.1.29","reference_id":"v2026.1.29","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T15:54:31Z/"}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.1.29"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38473?format=json","purl":"pkg:npm/clawdbot@2026.1.29","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29"}],"aliases":["CVE-2026-24763","GHSA-mc68-q9jw-2h3v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dq3p-v699-nudj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69333?format=json","vulnerability_id":"VCID-ewjx-95c9-6qad","summary":"OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28452","reference_id":"","reference_type":"","scores":[{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.3501","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.35188","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28452"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea","reference_id":"5f4b29145c236d124524c2c9af0f8acd048fbdea","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28452","reference_id":"CVE-2026-28452","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28452"},{"reference_url":"https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71","reference_id":"d3ee5deb87ee2ad0ab83c92c365611165423cb71","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/"}],"url":"https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71"},{"reference_url":"https://github.com/advisories/GHSA-h89v-j3x9-8wqj","reference_id":"GHSA-h89v-j3x9-8wqj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h89v-j3x9-8wqj"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj","reference_id":"GHSA-h89v-j3x9-8wqj","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive","reference_id":"openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"6.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38580?format=json","purl":"pkg:npm/clawdbot@2026.1.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8ezs-t8mg-3fb2"},{"vulnerability":"VCID-cnc5-ge9z-6udc"},{"vulnerability":"VCID-dq3p-v699-nudj"},{"vulnerability":"VCID-k6g9-z95b-fbbf"},{"vulnerability":"VCID-vccu-ydtz-83g6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24"}],"aliases":["CVE-2026-28452","GHSA-h89v-j3x9-8wqj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ewjx-95c9-6qad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70926?format=json","vulnerability_id":"VCID-k6g9-z95b-fbbf","summary":"OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26328","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02178","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02173","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26328"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59","reference_id":"872079d42fe105ece2900a1dd6ab321b92da2d59","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:05Z/"}],"url":"https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26328","reference_id":"CVE-2026-26328","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26328"},{"reference_url":"https://github.com/advisories/GHSA-g34w-4xqq-h79m","reference_id":"GHSA-g34w-4xqq-h79m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g34w-4xqq-h79m"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m","reference_id":"GHSA-g34w-4xqq-h79m","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:05Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"},{"reference_url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14","reference_id":"v2026.2.14","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:05Z/"}],"url":"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39301?format=json","purl":"pkg:npm/clawdbot@2026.2.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.2.14"}],"aliases":["CVE-2026-26328","GHSA-g34w-4xqq-h79m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k6g9-z95b-fbbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74014?format=json","vulnerability_id":"VCID-saun-hfmr-mued","summary":"OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29612","reference_id":"","reference_type":"","scores":[{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.3816","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.37984","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29612"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595","reference_id":"31791233d60495725fa012745dde8d6ee69e9595","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:15:38Z/"}],"url":"https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29612","reference_id":"CVE-2026-29612","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29612"},{"reference_url":"https://github.com/advisories/GHSA-w2cg-vxx6-5xjg","reference_id":"GHSA-w2cg-vxx6-5xjg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w2cg-vxx6-5xjg"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg","reference_id":"GHSA-w2cg-vxx6-5xjg","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:15:38Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg"},{"reference_url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding","reference_id":"openclaw-denial-of-service-via-large-base-media-file-decoding","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:15:38Z/"}],"url":"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38580?format=json","purl":"pkg:npm/clawdbot@2026.1.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8ezs-t8mg-3fb2"},{"vulnerability":"VCID-cnc5-ge9z-6udc"},{"vulnerability":"VCID-dq3p-v699-nudj"},{"vulnerability":"VCID-k6g9-z95b-fbbf"},{"vulnerability":"VCID-vccu-ydtz-83g6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24"}],"aliases":["CVE-2026-29612","GHSA-w2cg-vxx6-5xjg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-saun-hfmr-mued"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66265?format=json","vulnerability_id":"VCID-vccu-ydtz-83g6","summary":"OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25253","reference_id":"","reference_type":"","scores":[{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30716","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30914","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25253"},{"reference_url":"https://github.com/openclaw/openclaw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/openclaw/openclaw"},{"reference_url":"https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys","reference_id":"1-click-rce-to-steal-your-moltbot-data-and-keys","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/"}],"url":"https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys"},{"reference_url":"https://x.com/0xacb/status/2016913750557651228","reference_id":"2016913750557651228","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/"}],"url":"https://x.com/0xacb/status/2016913750557651228"},{"reference_url":"https://openclaw.ai/blog","reference_id":"blog","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/"}],"url":"https://openclaw.ai/blog"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25253","reference_id":"CVE-2026-25253","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25253"},{"reference_url":"https://github.com/advisories/GHSA-g8p2-7wf7-98mq","reference_id":"GHSA-g8p2-7wf7-98mq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g8p2-7wf7-98mq"},{"reference_url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq","reference_id":"GHSA-g8p2-7wf7-98mq","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/"}],"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq"},{"reference_url":"https://ethiack.com/news/blog/one-click-rce-moltbot","reference_id":"one-click-rce-moltbot","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/"}],"url":"https://ethiack.com/news/blog/one-click-rce-moltbot"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38473?format=json","purl":"pkg:npm/clawdbot@2026.1.29","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29"}],"aliases":["CVE-2026-25253","GHSA-g8p2-7wf7-98mq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vccu-ydtz-83g6"}],"fixing_vulnerabilities":[],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.4"}