CVE-2026-53841 PUBLISHED

OpenClaw < 2026.5.12 - Cross-Site Scripting via Unsafe Markdown Links in Exported Session HTML

Assigner: VulnCheck
Reserved: 10.06.2026 Published: 16.06.2026 Updated: 17.06.2026

OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 2.1

Product Status

Vendor OpenClaw
Product OpenClaw
Versions Default: unaffected
  • affected from 0 to 2026.5.12 (excl.)
  • Version 2026.5.12 is unaffected

Credits

  • Edward-x (@YLChen-007) reporter

References

Problem Types

  • Improper Neutralization of Script in Attributes in a Web Page CWE