Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

9,690 advisories

Loading
OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists High
CVE-2026-32037 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading High
CVE-2026-28393 was published for openclaw (npm) Mar 3, 2026
akhmittra Credited to akhmittra
OpenClaw has command injection via Windows shell fallback in Lobster tool execution High
CVE-2026-32000 was published for openclaw (npm) Mar 3, 2026
allsmog Credited to allsmog
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection High
GHSA-qj22-xqjr-v83v was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction High
CVE-2026-27905 was published for bentoml (pip) Mar 3, 2026
q1uf3ng Credited to q1uf3ng
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack High
CVE-2026-27601 was published for underscore (npm) Mar 3, 2026
ByamB4 Credited to ByamB4 and jgonggrijp jgonggrijp jgonggrijp
Django vulnerable to Uncontrolled Resource Consumption High
CVE-2026-25673 was published for Django (pip) Mar 3, 2026
OpenViking contains a Path Traversal vulnerability High
CVE-2026-28518 was published for openviking (pip) Mar 3, 2026
Rancher's restricted PodSecurityPolicy does not prevent containers from running as a privileged user High
GHSA-hwm2-4ph6-w6m5 was published for github.com/rancher/rancher (Go) Mar 3, 2026
Rancher's Azure AD permission changes are not reflected on active sessions High
CVE-2023-22648 was published for github.com/rancher/rancher (Go) Mar 3, 2026
yvespp Credited to yvespp
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy High
CVE-2026-32014 was published for openclaw (npm) Mar 3, 2026
76embiid21 Credited to 76embiid21
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind High
CVE-2026-27545 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset High
CVE-2026-27522 was published for openclaw (npm) Mar 2, 2026
GCXWLP Credited to GCXWLP
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed High
GHSA-hwpq-rrpf-pgcq was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval High
GHSA-943q-mwmv-hhvh was published for openclaw (npm) Mar 2, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw has non-constant-time token comparison in hooks authentication High
CVE-2026-28464 was published for openclaw (npm) Mar 2, 2026
akhmittra Credited to akhmittra
OpenClaw has Zip Slip path traversal in tar archive extraction High
CVE-2026-28453 was published for openclaw (npm) Mar 2, 2026
xuemian168 Credited to xuemian168 and ShangzhiXu ShangzhiXu ShangzhiXu
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure High
CVE-2026-32062 was published for @openclaw/voice-call (npm) Mar 2, 2026
jiseoung Credited to jiseoung
OpenClaw Canvas Path Traversal Information Disclosure Vulnerability High
GHSA-jq4x-98m3-ggq6 was published for openclaw (npm) Mar 2, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments High
CVE-2026-22168 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
@keep-network/tbtc-v2 revealing P2PKH deposit with a wrapped P2SH script High
GHSA-8986-v76q-8vr2 was published for @keep-network/tbtc-v2 (npm) Mar 2, 2026
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind High
CVE-2026-31997 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has web_search citation redirect SSRF via private-network-allowing policy High
CVE-2026-31989 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools High
GHSA-jr6x-2q95-fh2g was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root High
GHSA-7xmq-g46g-f8pv was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database