CVE-2026-32040

Sažetak

OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attributes that break out of the img src data-URL context to achieve cross-site scripting when exported HTML is opened.

Reference

https://github.com/openclaw/openclaw/pull/24140
https://github.com/openclaw/openclaw/security/advisories/GHSA-2ww6-868g-2c56
https://www.vulncheck.com/advisories/openclaw-html-injection-via-unvalidated-image-mime-type-in-data-url-interpolation

CVSS

Base:	4.6
Impact:	2.7
Exploitability:	1.5

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Zadnje važnije ažuriranje

19-03-2026 - 22:16

Objavljeno

19-03-2026 - 22:16