Vulnerability Description
OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attributes that break out of the img src data-URL context to achieve cross-site scripting when exported HTML is opened.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.23 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/pull/24140Issue Tracking
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2ww6-868g-2c56Vendor AdvisoryExploit
- https://www.vulncheck.com/advisories/openclaw-html-injection-via-unvalidated-imaThird Party Advisory
FAQ
What is CVE-2026-32040?
CVE-2026-32040 is a vulnerability with a CVSS score of 4.6 (MEDIUM). OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values i...
How severe is CVE-2026-32040?
CVE-2026-32040 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32040?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.