Product
OpenClaw before 2026.4.22 is vulnerable to server-side request forgery (SSRF) due to improper validation of outbound photo URLs in the Zalo plugin's sendPhoto function, allowing attackers to potentially access internal resources by providing malicious photo URLs to the Zalo Bot API.