Search
Find a vulnerability
Search criteria
2 vulnerabilities by AidanPark
CVE-2026-15193 (GCVE-0-2026-15193)
Vulnerability from nvd – Published: 2026-07-09 16:45 – Updated: 2026-07-09 17:51
VLAI
EPSS
VEX
Title
AidanPark openclaw-android Android WebView Bridge JsBridge.kt os command injection
Summary
A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377120 | vdb-entry |
| https://vuldb.com/vuln/377120/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15193 | third-party-advisory |
| https://vuldb.com/submit/851623 | third-party-advisory |
| https://github.com/AidanPark/openclaw-android/iss… | exploitissue-tracking |
| https://github.com/AidanPark/openclaw-android/pull/137 | issue-trackingpatch |
| https://github.com/AidanPark/openclaw-android/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AidanPark | openclaw-android |
Affected:
0.1
Affected: 0.2 Affected: 0.3 Affected: 0.4.0 cpe:2.3:o:aidanpark:openclaw-android:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15193",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:51:12.947661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:51:39.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:aidanpark:openclaw-android:*:*:*:*:*:*:*:*"
],
"modules": [
"Android WebView Bridge"
],
"product": "openclaw-android",
"vendor": "AidanPark",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2"
},
{
"status": "affected",
"version": "0.3"
},
{
"status": "affected",
"version": "0.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem00000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:45:08.144Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377120 | AidanPark openclaw-android Android WebView Bridge JsBridge.kt os command injection",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377120"
},
{
"name": "VDB-377120 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377120/cti"
},
{
"name": "CVE-2026-15193 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15193"
},
{
"name": "Submit #851623 | AidanPark openclaw-android 0.4.0 Arbitrary Command Execution / Policy Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851623"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/AidanPark/openclaw-android/issues/136"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/AidanPark/openclaw-android/pull/137"
},
{
"tags": [
"product"
],
"url": "https://github.com/AidanPark/openclaw-android/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:48:01.000Z",
"value": "VulDB entry last update"
}
],
"title": "AidanPark openclaw-android Android WebView Bridge JsBridge.kt os command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15193",
"datePublished": "2026-07-09T16:45:08.144Z",
"dateReserved": "2026-07-09T05:42:57.622Z",
"dateUpdated": "2026-07-09T17:51:39.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15193 (GCVE-0-2026-15193)
Vulnerability from cvelistv5 – Published: 2026-07-09 16:45 – Updated: 2026-07-09 17:51
VLAI
EPSS
VEX
Title
AidanPark openclaw-android Android WebView Bridge JsBridge.kt os command injection
Summary
A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377120 | vdb-entry |
| https://vuldb.com/vuln/377120/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15193 | third-party-advisory |
| https://vuldb.com/submit/851623 | third-party-advisory |
| https://github.com/AidanPark/openclaw-android/iss… | exploitissue-tracking |
| https://github.com/AidanPark/openclaw-android/pull/137 | issue-trackingpatch |
| https://github.com/AidanPark/openclaw-android/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AidanPark | openclaw-android |
Affected:
0.1
Affected: 0.2 Affected: 0.3 Affected: 0.4.0 cpe:2.3:o:aidanpark:openclaw-android:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15193",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T17:51:12.947661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T17:51:39.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:aidanpark:openclaw-android:*:*:*:*:*:*:*:*"
],
"modules": [
"Android WebView Bridge"
],
"product": "openclaw-android",
"vendor": "AidanPark",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2"
},
{
"status": "affected",
"version": "0.3"
},
{
"status": "affected",
"version": "0.4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem00000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in AidanPark openclaw-android up to 0.4.0. The affected element is an unknown function of the file android/app/src/main/java/com/openclaw/android/JsBridge.kt of the component Android WebView Bridge. This manipulation causes os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "OS Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T16:45:08.144Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377120 | AidanPark openclaw-android Android WebView Bridge JsBridge.kt os command injection",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/377120"
},
{
"name": "VDB-377120 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377120/cti"
},
{
"name": "CVE-2026-15193 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15193"
},
{
"name": "Submit #851623 | AidanPark openclaw-android 0.4.0 Arbitrary Command Execution / Policy Bypass",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/851623"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/AidanPark/openclaw-android/issues/136"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/AidanPark/openclaw-android/pull/137"
},
{
"tags": [
"product"
],
"url": "https://github.com/AidanPark/openclaw-android/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-09T07:48:01.000Z",
"value": "VulDB entry last update"
}
],
"title": "AidanPark openclaw-android Android WebView Bridge JsBridge.kt os command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15193",
"datePublished": "2026-07-09T16:45:08.144Z",
"dateReserved": "2026-07-09T05:42:57.622Z",
"dateUpdated": "2026-07-09T17:51:39.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}