GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,940 advisories
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion
Moderate
CVE-2026-29061
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has privilege escalation with auth token
Moderate
CVE-2026-29060
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
Gokapi has Data Leak in Upload Status Stream
Moderate
CVE-2026-28682
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check
Critical
CVE-2026-29188
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 4, 2026
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
Moderate
GHSA-q6qf-4p5j-r25g
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch
Moderate
GHSA-534w-2vm4-89xr
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
Moderate
GHSA-gw85-xp4q-5gp9
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)
Moderate
GHSA-h9xm-j4qg-fvpg
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
Moderate
GHSA-ccg8-46r6-9qgj
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
High
GHSA-9f72-qcpw-2hxc
was published
for
openclaw
(npm)
Mar 3, 2026
Temporary path handling could write outside OpenClaw temp boundary
Moderate
GHSA-33hm-cq8r-wc49
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
Moderate
GHSA-ww6v-v748-x7g9
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
Moderate
GHSA-p7gr-f84w-hqg5
was published
for
openclaw
(npm)
Mar 2, 2026
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login
High
CVE-2026-28790
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API