GHSA-cxmw-p77q-wchg: OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

March 26, 2026

Android Canvas WebView pages from untrusted origins could invoke the JavascriptInterface bridge and inject instructions into the app.

References

github.com/advisories/GHSA-cxmw-p77q-wchg
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg

Code Behaviors & Features

Detect and mitigate GHSA-cxmw-p77q-wchg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →