Product
The openclaw npm package before version 2026.3.22 is vulnerable to arbitrary code execution, where an attacker could inject instructions into the app by invoking the JavascriptInterface bridge from untrusted origins within Android Canvas WebView pages.