Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit cad403d66d08 · 2026-03-06T01:02:24.000Z
GHSA-3m3q-x3gj-f79x GHSA-64qx-vpxx-mvqf GHSA-7vwx-582j-j332 GHSA-rmxw-jxxx-4cpc GHSA-v6c6-vqqg-w888 GHSA-wfp2-v9c7-fh79 GHSA-xc7w-v5x6-cc87 GHSA-7xhj-55q9-pc3m GHSA-p25h-9q54-ffvw
diff --git a/advisories/github-reviewed/2026/02/GHSA-3m3q-x3gj-f79x/GHSA-3m3q-x3gj-f79x.json b/advisories/github-reviewed/2026/02/GHSA-3m3q-x3gj-f79x/GHSA-3m3q-x3gj-f79x.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3m3q-x3gj-f79x",
-  "modified": "2026-03-05T21:48:53Z",
+  "modified": "2026-03-06T01:01:21Z",
   "published": "2026-02-17T21:31:58Z",
   "aliases": [
     "CVE-2026-28465"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -59,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28465"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f"
@@ -70,15 +78,20 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers"
     }
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-287"
+      "CWE-287",
+      "CWE-345"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-17T21:31:58Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T22:16:19Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-64qx-vpxx-mvqf/GHSA-64qx-vpxx-mvqf.json b/advisories/github-reviewed/2026/02/GHSA-64qx-vpxx-mvqf/GHSA-64qx-vpxx-mvqf.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-64qx-vpxx-mvqf",
-  "modified": "2026-03-05T21:47:27Z",
+  "modified": "2026-03-06T01:00:19Z",
   "published": "2026-02-17T16:43:51Z",
   "aliases": [
     "CVE-2026-28459"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28459"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda"
@@ -55,6 +63,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.12"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path"
     }
   ],
   "database_specific": {
@@ -67,6 +79,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-17T16:43:51Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T22:16:18Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-7vwx-582j-j332/GHSA-7vwx-582j-j332.json b/advisories/github-reviewed/2026/02/GHSA-7vwx-582j-j332/GHSA-7vwx-582j-j332.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7vwx-582j-j332",
-  "modified": "2026-03-05T21:54:43Z",
+  "modified": "2026-03-06T01:02:00Z",
   "published": "2026-02-17T21:38:14Z",
   "aliases": [
     "CVE-2026-28481"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28481"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b"
@@ -51,15 +59,19 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-bearer-token-leakage-via-ms-teams-attachment-downloader-suffix-matching"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-201"
     ],
-    "severity": "HIGH",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-17T21:38:14Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T22:16:22Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-rmxw-jxxx-4cpc/GHSA-rmxw-jxxx-4cpc.json b/advisories/github-reviewed/2026/02/GHSA-rmxw-jxxx-4cpc/GHSA-rmxw-jxxx-4cpc.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rmxw-jxxx-4cpc",
-  "modified": "2026-03-05T21:51:00Z",
+  "modified": "2026-03-06T01:01:45Z",
   "published": "2026-02-17T21:34:17Z",
   "aliases": [
     "CVE-2026-28471"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28471"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf"
@@ -51,15 +59,20 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-displayname-and-cross-homeserver-localpart-matching-in-matrix"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-287",
       "CWE-290"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-17T21:34:17Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T22:16:20Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-v6c6-vqqg-w888/GHSA-v6c6-vqqg-w888.json b/advisories/github-reviewed/2026/02/GHSA-v6c6-vqqg-w888/GHSA-v6c6-vqqg-w888.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v6c6-vqqg-w888",
-  "modified": "2026-03-05T21:46:11Z",
+  "modified": "2026-03-06T00:59:44Z",
   "published": "2026-02-18T00:57:48Z",
   "aliases": [
     "CVE-2026-28456"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28456"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce"
@@ -55,15 +63,20 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unsafe-hook-module-path-handling"
     }
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-22"
+      "CWE-22",
+      "CWE-427"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-18T00:57:48Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T22:16:18Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-wfp2-v9c7-fh79/GHSA-wfp2-v9c7-fh79.json b/advisories/github-reviewed/2026/02/GHSA-wfp2-v9c7-fh79/GHSA-wfp2-v9c7-fh79.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wfp2-v9c7-fh79",
-  "modified": "2026-03-05T21:49:36Z",
+  "modified": "2026-03-06T01:01:05Z",
   "published": "2026-02-17T21:30:48Z",
   "aliases": [
     "CVE-2026-28467"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"
     }
   ],
   "affected": [
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wfp2-v9c7-fh79"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28467"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae"
@@ -55,6 +63,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-ssrf-via-attachment-media-url-hydration"
     }
   ],
   "database_specific": {
@@ -64,6 +76,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-17T21:30:48Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T22:16:19Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-xc7w-v5x6-cc87/GHSA-xc7w-v5x6-cc87.json b/advisories/github-reviewed/2026/02/GHSA-xc7w-v5x6-cc87/GHSA-xc7w-v5x6-cc87.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xc7w-v5x6-cc87",
-  "modified": "2026-03-05T22:01:17Z",
+  "modified": "2026-03-06T01:00:29Z",
   "published": "2026-02-17T17:14:00Z",
   "aliases": [
     "CVE-2026-29613"
@@ -12,6 +12,10 @@
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29613"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a"
@@ -55,15 +63,19 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.12"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-authentication-bypass-via-loopback-remoteaddress-trust"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-306"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-17T17:14:00Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T22:16:24Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-7xhj-55q9-pc3m/GHSA-7xhj-55q9-pc3m.json b/advisories/github-reviewed/2026/03/GHSA-7xhj-55q9-pc3m/GHSA-7xhj-55q9-pc3m.json
diff --git a/advisories/github-reviewed/2026/03/GHSA-p25h-9q54-ffvw/GHSA-p25h-9q54-ffvw.json b/advisories/github-reviewed/2026/03/GHSA-p25h-9q54-ffvw/GHSA-p25h-9q54-ffvw.json
