CVE-2026-32040
LOW EPSS 4.4%
Published Mar 19, 20263mo ago · Modified Jun 17, 20262w ago
2.4 CVSS 4.0
Published Mar 19, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attributes that break out of the img src data-URL context to achieve cross-site scripting when exported HTML is opened.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
4.4% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| openclaw | openclaw | * | <2026.2.23 |
References 3
- github.com https://github.com/openclaw/openclaw/pull/24140
- github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-2ww6-868g-2c56
- vulncheck.com https://www.vulncheck.com/advisories/openclaw-html-injection-via-unvalidated-image-mime-type-in-data-url-interpolation
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.