Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,134
Maven
5,000+
npm
5,000+
NuGet
1,013
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,419
Swift
61
Unreviewed advisories
All unreviewed
5,000+

152 advisories

Loading
SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality High
GHSA-5r2p-pjr8-7fh7 was published for sagemaker (pip) Mar 5, 2026
daridor9 Credited to daridor9
Fickling missing RCE-capable modules in UNSAFE_IMPORTS High
GHSA-5hwf-rc88-82xm was published for fickling (pip) Mar 4, 2026
yash2998chhabria Credited to yash2998chhabria
In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program Moderate
CVE-2026-32010 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write Moderate
CVE-2026-32017 was published for openclaw (npm) Mar 3, 2026
xelitte777 Credited to xelitte777 and Redgrave961 Redgrave961 Redgrave961
OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode High
CVE-2026-32059 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL Moderate
CVE-2026-22217 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Craft CMS has Twig Function Blocklist Bypass Moderate
CVE-2026-28783 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
CVE-2026-53873 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass) Moderate
CVE-2026-32022 was published for openclaw (npm) Mar 3, 2026
athuljayaram Credited to athuljayaram
OpenClaw has allowlist exec-guard bypass via env -S Moderate
CVE-2026-31992 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c) Moderate
CVE-2026-22175 was published for openclaw (npm) Mar 2, 2026
jiseoung Credited to jiseoung
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Low
CVE-2026-31993 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode Critical
CVE-2026-28363 was published for openclaw (npm) Feb 27, 2026
Fickling has safety check bypass via REDUCE+BUILD opcode sequence Moderate
GHSA-mhc9-48gj-9gp3 was published for fickling (pip) Feb 25, 2026
yash2998chhabria Credited to yash2998chhabria
IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame.... High Unreviewed
CVE-2026-1773 was published Feb 24, 2026
Fickling has a detection bypass via stdlib network-protocol constructors Low
GHSA-83pf-v6qq-pwmr was published for fickling (pip) Feb 20, 2026
NucleiAv Credited to NucleiAv
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
CVE-2026-31996 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
CVE-2026-53875 was published for picklescan (pip) Feb 18, 2026
zpbrent Credited to zpbrent
FUXA Affected by a Path Traversal Sanitization Bypass High
CVE-2026-25951 was published for fuxa-server (npm) Feb 10, 2026
h1dr1 Credited to h1dr1
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist High
CVE-2026-22609 was published for fickling (pip) Jan 9, 2026
mldangelo Credited to mldangelo
Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection High
CVE-2026-22608 was published for fickling (pip) Jan 9, 2026
0x-Apollyon Credited to 0x-Apollyon
Fickling Blocklist Bypass: cProfile.run() High
CVE-2026-22607 was published for fickling (pip) Jan 9, 2026
beneaththecode Credited to beneaththecode
Fickling has a bypass via runpy.run_path() and runpy.run_module() High
CVE-2026-22606 was published for fickling (pip) Jan 9, 2026
beneaththecode Credited to beneaththecode
libsodium has Incomplete List of Disallowed Inputs Moderate
CVE-2025-69277 was published for PyNaCl (Composer) Dec 31, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database