Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

98 advisories

Loading
FlowiseAI: Vector Store No Permission Checks High
CVE-2026-46444 was published for flowise (npm) May 14, 2026
Dimpyj1604 Credited to Dimpyj1604
Duplicate Advisory: OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage Moderate
GHSA-wwwc-f646-vj2j was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay Moderate
GHSA-82rm-qcfx-2v78 was published for openclaw (npm) May 6, 2026 withdrawn
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes High
GHSA-cwj3-vqpp-pmxr was published for openclaw (npm) May 5, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Moderate
CVE-2026-44991 was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay High
CVE-2026-42226 was published for n8n (npm) Apr 29, 2026
ESPanda666 Credited to ESPanda666
n8n Vulnerable to Hijacking of Unauthenticated Chat Execution Moderate
CVE-2026-42228 was published for n8n (npm) Apr 29, 2026
34selen Credited to 34selen, Aikido-Security, JorianWoltjer, reindaelman, grumpinout1, and vbCrLf Aikido-Security Aikido-Security
JorianWoltjer JorianWoltjer reindaelman reindaelman grumpinout1 grumpinout1 vbCrLf vbCrLf
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy Moderate
GHSA-qrp5-gfw2-gxv4 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md High
GHSA-7vq9-42cc-33j4 was published for openclaw (npm) Apr 24, 2026 withdrawn
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers High
CVE-2026-33318 was published for @actual-app/sync-server (npm) Apr 23, 2026
Rex50527 Credited to Rex50527 and MatissJanis MatissJanis MatissJanis
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools High
CVE-2026-42433 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage Moderate
CVE-2026-43580 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement Moderate
CVE-2026-43573 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy Moderate
CVE-2026-42439 was published for openclaw (npm) Apr 17, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows High
CVE-2026-43571 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Empty approver lists could grant explicit approval authorization Moderate
CVE-2026-43574 was published for openclaw (npm) Apr 17, 2026
anshumanbh Credited to anshumanbh
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks Low
CVE-2026-43572 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay Low
CVE-2026-43583 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation Moderate
CVE-2026-42436 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
Flowise: Sensitive Data Leak in public-chatbotConfig High
CVE-2026-41266 was published for flowise (npm) Apr 16, 2026
DenizParlak Credited to DenizParlak
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
CVE-2026-41679 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections Critical
CVE-2026-39397 was published for @delmaredigital/payload-puck (npm) Apr 8, 2026
Dag-Rui Credited to Dag-Rui
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill Moderate
CVE-2026-41298 was published for openclaw (npm) Apr 7, 2026
EaEa0001 Credited to EaEa0001
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity Critical
CVE-2026-33950 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database