Description
OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.
Published: 2026-06-16
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the Exported Session HTML feature in OpenClaw, which allows unsafe javascript: and data: links to be preserved in the generated content. When a trusted operator opens the exported file in a web browser and activates any of these links, malicious scripts can run under the operator’s credentials. The flaw is a typical XSS bug, classified as CWE‑83, and can compromise the confidentiality and integrity of the users’ data within the browser context, but does not provide a direct remote code execution pathway.

Affected Systems

OpenClaw instances running before version 2026.5.12 are affected. The issue applies to all installations that use the exported session HTML functionality.

Risk and Exploitability

With a CVSS score of 2.1, the severity is low, and an EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and no public exploit is known. The likely attack vector requires internal access to the system and trust that an operator will open the malicious exported file, so the risk is limited to environments where exported files are shared among trusted users.

Generated by OpenCVE AI on June 17, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.5.12 or later to remove the XSS flaw.
  • Restrict the use of exported session HTML files to trusted personnel only and verify that any links have been removed or sanitized before they are opened.
  • If upgrading immediately is not possible, strip or replace any javascript: and data: links from the exported HTML to prevent script execution.

Generated by OpenCVE AI on June 17, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.
Title OpenClaw < 2026.5.12 - Cross-Site Scripting via Unsafe Markdown Links in Exported Session HTML
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-83
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T14:48:32.623Z

Reserved: 2026-06-10T21:19:32.651Z

Link: CVE-2026-53841

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T19:17:00.993

Modified: 2026-06-16T20:42:46.200

Link: CVE-2026-53841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:00:12Z

Weaknesses
  • CWE-83

    Improper Neutralization of Script in Attributes in a Web Page