DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2WW6-868G-2C56: CVE-2026-27009: Stored XSS via HTML Injection in OpenClaw Image Generation

#security #cve #cybersecurity #ghsa

CVE-2026-27009: Stored XSS via HTML Injection in OpenClaw Image Generation

Vulnerability ID: GHSA-2WW6-868G-2C56
CVSS Score: 6.1
Published: 2026-03-03

OpenClaw contains a critical Stored Cross-Site Scripting (XSS) vulnerability within its image generation skill. The application fails to sanitize user-supplied prompts and filenames before interpolating them into HTML gallery files. This allows attackers to inject malicious JavaScript execution vectors that trigger when the gallery is viewed, potentially leading to session hijacking or arbitrary code execution in the context of the application dashboard.

TL;DR

Unsanitized f-string interpolation in OpenClaw's gen.py script allows attackers to inject arbitrary HTML and JavaScript via image prompts. The vulnerability is fixed in commit f3adf142 by implementing html.escape().

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Vulnerability Type: Stored XSS / HTML Injection
  • Attack Vector: Network
  • Affected Component: openai-image-gen/scripts/gen.py
  • CVSS Score: 6.1 (Estimated)
  • Patch Status: Patched

Affected Systems

  • OpenClaw AI Framework
  • OpenClaw openai-image-gen skill
  • OpenClaw: < 2026-02-23 (Commit f3adf14) (Fixed in: Commit f3adf14)

Code Analysis

Commit: f3adf14

Fix HTML injection vulnerability in gallery generation

@@ -10,7 +10,7 @@
 <figure>
-  <a href="{it["file"]}"><img src="{it["file"]}" loading="lazy" /></a>
-  <figcaption>{it["prompt"]}</figcaption>
+  <a href="{html_escape(it["file"], quote=True)}"><img src="{html_escape(it["file"], quote=True)}" loading="lazy" /></a>
+  <figcaption>{html_escape(it["prompt"])}</figcaption>
 </figure>
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Validation
  • Output Encoding
  • Content Security Policy (CSP)

Remediation Steps:

  1. Update OpenClaw to the latest version immediately (post-February 23, 2026).
  2. Verify that skills/openai-image-gen/scripts/gen.py contains calls to html.escape.
  3. If immediate update is not possible, manually apply the patch by wrapping it['file'] and it['prompt'] with html.escape(..., quote=True) in the write_gallery function.
  4. Implement a strict Content Security Policy (CSP) that restricts script-src to trusted domains and forbids inline scripts.

References

Read the full report for GHSA-2WW6-868G-2C56 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)