GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
20 advisories
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
High
CVE-2026-42433
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins
High
CVE-2026-43569
was published
for
openclaw
(npm)
Apr 17, 2026
TorchGeo Remote Code Execution Vulnerability
High
CVE-2024-49048
was published
for
torchgeo
(pip)
Apr 1, 2026
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`
High
GHSA-5r8f-96gm-5j6g
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
High
CVE-2026-41299
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
High
GHSA-5h2w-qmfp-ggp6
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send
High
CVE-2026-35621
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers
High
CVE-2026-35669
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding
High
GHSA-9p93-7j67-5pc2
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw has Inconsistent Host Exec Environment Override Sanitization
High
CVE-2026-35650
was published
for
openclaw
(npm)
Mar 26, 2026
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink
High
CVE-2026-32232
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
High
CVE-2026-32231
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
zeptoclaw has Android device shell blocklist bypass via argument permutation
High
GHSA-hhjv-jq77-cmvx
was published
for
zeptoclaw
(Rust)
Mar 5, 2026
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
High
CVE-2026-32030
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
High
CVE-2026-32036
was published
for
openclaw
(npm)
Mar 3, 2026
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
High
GHSA-97f8-7cmv-76j2
was published
for
picklescan
(pip)
Feb 18, 2026
OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
High
CVE-2026-28451
was published
for
openclaw
(npm)
Feb 18, 2026
OpenClaw has a LFI in BlueBubbles media path handling
High
CVE-2026-29611
was published
for
openclaw
(npm)
Feb 18, 2026
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
High
CVE-2026-26321
was published
for
openclaw
(npm)
Feb 17, 2026
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
High
CVE-2023-49781
was published
for
nocodb
(npm)
May 13, 2024
ProTip!
Advisories are also available from the
GraphQL API