CVE Vulnerabilities - 21 March 2026

The WebCTRL system sends sensitive information, such as file position and data, without encryption when transmitting updates over the network. This means an unauthorized person with access to the netw...

Authenticated users with certain permissions can access and control sensitive features in OpenClaw. This means that an attacker with the wrong level of access can still make changes they shouldn't be ...

OpenClaw devices running versions 2026.2.22 to 2026.2.24 are vulnerable to a security issue that allows unpaired devices to access more features than they should. This can happen if an attacker uses a...

OpenClaw versions prior to 2026.2.21 have a security flaw that lets hackers access the browser without a password. This can happen when a hacker is on the same network as the computer running OpenClaw...

An attacker can impersonate the WebCTRL service if they can bind to the same port, potentially allowing them to send malicious packets. This could happen if the port is not properly secured. To protec...

Old versions of OpenClaw can be tricked into saving files in the wrong place, outside of the workspace, if an attacker creates a special kind of shortcut. This could allow an attacker to write sensiti...

Old versions of OpenClaw don't properly clean up environment variables, which could let attackers sneak in malicious code before security checks. This means an attacker could run unauthorized commands...

Versions of OpenClaw prior to 2026.2.22 can be exploited by an attacker to cause memory issues and possible crashes. This is a concern for organizations using OpenClaw, as it could lead to system inst...

Versions of OpenClaw before 2026.3.1 have a security flaw that allows a malicious user to bypass security restrictions when creating new processes. This could lead to unauthorized access and potential...

WebCTRL systems can be vulnerable to fake messages sent over the network, potentially allowing an attacker to control certain devices or disrupt the system. This is because WebCTRL does not verify the...

The WowOptin WordPress plugin exposes a security risk that allows hackers to make unauthorized requests to any website or server connected to the plugin, potentially stealing or modifying sensitive in...

A security issue in the Injection Guard plugin for WordPress allows hackers to inject malicious scripts into the admin log page, which can be executed when an administrator views the log. This affects...

Unauthenticated users can determine if a private group member exists, potentially compromising group confidentiality. This affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2...

An attacker with local access to your system can use OpenClaw's browser trace and download feature to write files outside the intended directory, potentially overwriting important system files. This c...

If you're using OpenClaw versions prior to 2026.2.23, an attacker could potentially send old or duplicate Twilio event messages, causing your system to handle calls incorrectly or become corrupted. Th...

OpenClaw users are at risk of executing malicious files on their systems if an attacker manipulates a symbolic link. This can happen if a user approves a job with a validated path, but the actual path...

Some versions of OpenClaw are vulnerable to a security risk that lets hackers trick the system into running hidden commands. This can happen when the system is told to run a command from a misleading ...

The Scoreboard for HTML5 Games Lite plugin for WordPress has a security flaw that allows attackers with admin access to inject malicious code into web pages. This could allow them to take control of a...

The Contact List plugin for WordPress is at risk because an attacker with contributor-level access can inject malicious scripts into the plugin's Google Maps field. This could allow the attacker to ta...

The Image Alt Text Manager plugin for WordPress is vulnerable to a security risk that allows attackers to inject malicious scripts into posts. This could allow an attacker to take control of a website...

The Autoptimize plugin for WordPress has a security flaw that allows attackers to inject malicious code into web pages. This can happen if a user with sufficient access rights edits a page with an ima...

The Autoptimize plugin for WordPress is vulnerable to a security threat that could allow attackers to inject malicious code into a website. This means that if an attacker has permission to edit the we...

The iTracker360 plugin for WordPress is vulnerable to a security flaw that allows attackers to inject malicious scripts if an administrator clicks on a link. This can happen if the plugin is version 2...

Older OpenClaw versions lack proper authentication checks for the Control UI pairing process, allowing a malicious user to gain unauthorized access to certain functions. This affects any organization ...

Old versions of OpenClaw have a security mistake that lets attackers on trusted networks access sensitive areas of the HTTP gateway without the usual login requirements. This could let unauthorized pe...