Search for vulnerabilities
| Vulnerability ID | VCID-h9a2-umzd-xuav |
| Aliases |
GHSA-f6pf-4gjx-c94r
|
| Summary | OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read ## Summary OpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read ## Affected Packages / Versions - Package: `openclaw` (npm) - Latest published npm version: `2026.3.31` - Vulnerable version range: `<=2026.3.24` - Patched versions: `>= 2026.3.28` - First stable tag containing the fix: `v2026.3.28` ## Fix Commit(s) - `4797bbc5b96e2cca5532e43b58915c051746fe37` — 2026-03-25T13:35:16-06:00 ## Release Process Note - The fix is already present in released version `2026.3.28`. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | HIGH | https://github.com/advisories/GHSA-f6pf-4gjx-c94r |
| cvssv4 | 7.1 | https://github.com/openclaw/openclaw |
| generic_textual | HIGH | https://github.com/openclaw/openclaw |
| cvssv4 | 7.1 | https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37 |
| generic_textual | HIGH | https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37 |
| cvssv3.1_qr | HIGH | https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r |
| cvssv4 | 7.1 | https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r |
| generic_textual | HIGH | https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-31T10:51:08.224093+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f6pf-4gjx-c94r/GHSA-f6pf-4gjx-c94r.json | 38.6.0 |