Security Advisories
A list of vulnerabilities (CVE / GHSA) publicly disclosed by Tencent Zhuque Lab. View as JSONopen_in_new
bug_report
Vulnerabilities
67
deployed_code
Products
21
leaderboard
Severity Breakdown
-
open_in_newMedium CVE-2026-41333 CWE-307/CWE-799
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
deployed_code Affected: openclaw <= 2026.3.28 calendar_today Published: April 03, 2026 -
open_in_newHigh GHSA-jccr-rrw2-vc8h CWE-185/CWE-200
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure
deployed_code Affected: openclaw <= 2026.3.24 calendar_today Published: March 31, 2026 -
open_in_newMedium CVE-2026-41332 CWE-184
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
deployed_code Affected: openclaw <= 2026.3.24 calendar_today Published: March 31, 2026 -
open_in_newLow GHSA-g86v-f9qv-rh6m CWE-918
OpenClaw SSRF guard misses four IPv6 special-use ranges
deployed_code Affected: openclaw <= 2026.3.24 calendar_today Published: March 31, 2026 -
open_in_newCritical CVE-2026-33873 CWE-94
Langflow has Authenticated Code Execution in Agentic Assistant Validation
deployed_code Affected: langflow <= 1.8.1 calendar_today Published: March 26, 2026 -
open_in_newCritical CVE-2026-4725 CWE-416
Sandbox escape due to use-after-free in the Graphics: Canvas2D component
deployed_code Affected: firefox < 149 calendar_today Published: March 24, 2026 -
open_in_newHigh CVE-2026-4715 CWE-908
Uninitialized memory in the Graphics: Canvas2D component
deployed_code Affected: firefox < 140.9; < 149 calendar_today Published: March 24, 2026 -
open_in_newMedium CVE-2026-4706 CWE-754
Incorrect boundary conditions in the Graphics: Canvas2D component
deployed_code Affected: firefox < 115.34; < 140.9; < 149 calendar_today Published: March 24, 2026 -
open_in_newCritical CVE-2026-3846 CWE-346
Same-origin policy bypass in the CSS Parsing and Computation component
deployed_code Affected: firefox < 148.0.2 calendar_today Published: March 10, 2026 -
open_in_newMedium CVE-2026-32018 CWE-362
OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
deployed_code Affected: openclaw < 2026.2.19 calendar_today Published: March 03, 2026
Per page
