` could break out of the script tag ","datePublished":"2026-02-20T00:16:17.620","dateModified":"2026-06-17T10:26:31.890","about":{"@type":"Thing","name":"openclaw openclaw"}}
cvedb.io
CVE-2026-27009
MEDIUM · CVSS 5.8
EPSS exploitation probability: 0%
Published 2026-02-20T00:16:17.620 · Last modified 2026-06-17T10:26:31.890

Summary

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).

Affected products

openclaw — openclaw

Does this affect you?

Add your gear to cvedb and we'll alert you only when openclaw ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.