CVE-2026-32040
HTML Injection in OpenClaw Session Exporter Enables XSS Execution
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
OpenClaw versions prior to 2026.2.23 have an HTML injection vulnerability in the HTML session exporter. This vulnerability allows attackers to execute arbitrary JavaScript by injecting malicious mimeType values into image content blocks.
Attackers can create session entries with specially crafted mimeType attributes that break out of the img src data-URL context, enabling cross-site scripting (XSS) when the exported HTML is opened.
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting attacks, allowing attackers to execute arbitrary JavaScript in the context of the exported HTML session.
Such attacks can potentially lead to unauthorized actions, data theft, or session hijacking when a user opens the exported HTML containing the malicious code.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know