Main Vulnerability Database Vulnerabilities #VU132716

Cross-site scripting in OpenClaw - #VU132716

Published: May 29, 2026

Vulnerability identifier: #VU132716

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in exported session HTML when rendering markdown links into generated HTML. A remote attacker can supply content containing unsafe javascript: or data: links to execute arbitrary script in the victim's browser.

User interaction is required to open the exported file and activate the link, and the issue is limited to cases where the affected feature is enabled and reachable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv

Cross-site scripting in OpenClaw - #VU132716

Detailed vulnerability description

Remediation

Sources

Please verify you're human