The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade openclaw to version 2026.5.28 or higher.
openclaw is a 🦞 OpenClaw — Personal AI Assistant
Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through workspace dotenv loading in the gateway's provider credential resolution path. An attacker can supply a workspace .env file or controlled path that is loaded ahead of trusted provider settings, causing the gateway to use attacker-controlled environment values instead of the intended credentials. This exposes provider credentials or other sensitive data tied to those credentials, and it can break access to the affected provider by sending requests with the wrong identity or secrets.
Workarounds
.env files and other configured input paths to trusted operators only; do not let lower-trust users supply those paths, as this prevents attacker-controlled environment values from overriding provider credentials.