Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 1b8497a209ca · 2026-04-10T19:39:13.000Z
GHSA-cxmw-p77q-wchg GHSA-qm9x-v7cx-7rq4 GHSA-rvqr-hrcc-j9vv GHSA-2vq4-854f-5c72 GHSA-48ch-p4gq-x46x GHSA-96q5-xm3p-7m84 GHSA-fgfv-pv97-6cmj GHSA-r4fg-73rc-hhh7
diff --git a/advisories/github-reviewed/2026/03/GHSA-cxmw-p77q-wchg/GHSA-cxmw-p77q-wchg.json b/advisories/github-reviewed/2026/03/GHSA-cxmw-p77q-wchg/GHSA-cxmw-p77q-wchg.json
@@ -1,17 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cxmw-p77q-wchg",
-  "modified": "2026-04-10T17:21:07Z",
+  "modified": "2026-04-10T19:38:04Z",
   "published": "2026-03-26T19:30:52Z",
   "aliases": [
     "CVE-2026-35643"
   ],
   "summary": "OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface",
   "details": "## Summary\nAndroid Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `8b02ef133275be96d8aac2283100016c8a7f32e5`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- apps/android/app/src/main/java/ai/openclaw/app/ui/CanvasScreen.kt now snapshots page origin and rejects untrusted bridge calls.\n- apps/android/app/src/main/java/ai/openclaw/app/node/CanvasActionTrust.kt centralizes trusted origin and path validation for the bridge.\n\nOpenClaw thanks @cyjhhh for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,13 +44,25 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35643"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface"
     }
   ],
   "database_specific": {
@@ -57,6 +73,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-26T19:30:52Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T17:17:04Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-qm9x-v7cx-7rq4/GHSA-qm9x-v7cx-7rq4.json b/advisories/github-reviewed/2026/03/GHSA-qm9x-v7cx-7rq4/GHSA-qm9x-v7cx-7rq4.json
@@ -1,17 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qm9x-v7cx-7rq4",
-  "modified": "2026-04-10T17:29:00Z",
+  "modified": "2026-04-10T19:37:43Z",
   "published": "2026-03-26T19:08:45Z",
   "aliases": [
     "CVE-2026-35666"
   ],
   "summary": "OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper",
   "details": "## Summary\nAllow-always exec approvals did not unwrap /usr/bin/time, so an unregistered time wrapper could bypass executable binding and reuse approval state for the inner command.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `39409b6a6dd4239deea682e626bac9ba547bfb14`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/dispatch-wrapper-resolution.ts now unwraps /usr/bin/time and binds approvals to the real inner executable.\n- src/infra/exec-approvals-allow-always.test.ts ships regression coverage for time-wrapper allow-always approval bypasses.\n\nOpenClaw thanks @YLChen-007 for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,22 +44,35 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35666"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-unregistered-time-dispatch-wrapper"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-706",
       "CWE-863"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-26T19:08:45Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T17:17:08Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-rvqr-hrcc-j9vv/GHSA-rvqr-hrcc-j9vv.json b/advisories/github-reviewed/2026/03/GHSA-rvqr-hrcc-j9vv/GHSA-rvqr-hrcc-j9vv.json
@@ -1,17 +1,21 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rvqr-hrcc-j9vv",
-  "modified": "2026-04-10T17:26:46Z",
+  "modified": "2026-04-10T19:38:24Z",
   "published": "2026-03-26T19:50:24Z",
   "aliases": [
     "CVE-2026-35659"
   ],
   "summary": "OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution",
   "details": "## Summary\nBonjour and DNS-SD TXT metadata could still steer CLI routing even when actual service resolution failed, allowing unresolved hints to influence the chosen target.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: < 2026.3.22\n- Fixed: >= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `deecf68b59a9b7eea978e40fd3c2fe543087b569`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- src/infra/bonjour-discovery.ts now resolves and returns only concrete endpoints instead of falling back to unresolved TXT host and port hints.\n- src/cli/gateway-cli/discover.ts consumes only the fail-closed resolved endpoint path.\n\nOpenClaw thanks @nexrin for reporting.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,13 +44,25 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rvqr-hrcc-j9vv"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35659"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/deecf68b59a9b7eea978e40fd3c2fe543087b569"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-unresolved-service-metadata-routing-via-bonjour-and-dns-sd-discovery"
     }
   ],
   "database_specific": {
@@ -57,6 +73,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-26T19:50:24Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T17:17:07Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-2vq4-854f-5c72/GHSA-2vq4-854f-5c72.json b/advisories/github-reviewed/2026/04/GHSA-2vq4-854f-5c72/GHSA-2vq4-854f-5c72.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2vq4-854f-5c72",
-  "modified": "2026-04-10T15:33:50Z",
+  "modified": "2026-04-10T19:36:15Z",
   "published": "2026-04-10T15:33:50Z",
   "aliases": [
     "CVE-2026-35595"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35595"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/pull/2583"
@@ -67,6 +71,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-10T15:33:50Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T17:17:02Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-48ch-p4gq-x46x/GHSA-48ch-p4gq-x46x.json b/advisories/github-reviewed/2026/04/GHSA-48ch-p4gq-x46x/GHSA-48ch-p4gq-x46x.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-48ch-p4gq-x46x",
-  "modified": "2026-04-10T15:34:23Z",
+  "modified": "2026-04-10T19:36:26Z",
   "published": "2026-04-10T15:34:23Z",
   "aliases": [
     "CVE-2026-35598"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35598"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/pull/2579"
@@ -67,6 +71,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-10T15:34:23Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T17:17:03Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-96q5-xm3p-7m84/GHSA-96q5-xm3p-7m84.json b/advisories/github-reviewed/2026/04/GHSA-96q5-xm3p-7m84/GHSA-96q5-xm3p-7m84.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-96q5-xm3p-7m84",
-  "modified": "2026-04-10T15:31:11Z",
+  "modified": "2026-04-10T19:36:07Z",
   "published": "2026-04-10T15:31:11Z",
   "aliases": [
     "CVE-2026-35594"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35594"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/pull/2581"
@@ -67,6 +71,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-10T15:31:11Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T16:16:32Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-fgfv-pv97-6cmj/GHSA-fgfv-pv97-6cmj.json b/advisories/github-reviewed/2026/04/GHSA-fgfv-pv97-6cmj/GHSA-fgfv-pv97-6cmj.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fgfv-pv97-6cmj",
-  "modified": "2026-04-10T15:34:14Z",
+  "modified": "2026-04-10T19:36:20Z",
   "published": "2026-04-10T15:34:14Z",
   "aliases": [
     "CVE-2026-35597"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-fgfv-pv97-6cmj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35597"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/pull/2576"
@@ -67,6 +71,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-10T15:34:14Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T17:17:03Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-r4fg-73rc-hhh7/GHSA-r4fg-73rc-hhh7.json b/advisories/github-reviewed/2026/04/GHSA-r4fg-73rc-hhh7/GHSA-r4fg-73rc-hhh7.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r4fg-73rc-hhh7",
-  "modified": "2026-04-10T15:34:41Z",
+  "modified": "2026-04-10T19:36:35Z",
   "published": "2026-04-10T15:34:41Z",
   "aliases": [
     "CVE-2026-35599"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35599"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/pull/2577"
@@ -67,6 +71,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-10T15:34:41Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-10T17:17:03Z"
   }
 }
