Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

31 advisories

Loading
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence Moderate
GHSA-f3h5-h452-vp3j was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands Moderate
CVE-2026-43568 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup Moderate
CVE-2026-41295 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send Moderate
CVE-2026-41379 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope Moderate
CVE-2026-35619 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Moderate
CVE-2026-35661 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token Moderate
CVE-2026-35646 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback Moderate
CVE-2026-35654 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` Moderate
CVE-2026-35645 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing Moderate
CVE-2026-35664 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope Moderate
CVE-2026-35657 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Moderate
CVE-2026-35628 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events Moderate
GHSA-mw7w-g3mg-xqm7 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers Moderate
CVE-2026-35647 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing Moderate
CVE-2026-35623 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting Moderate
CVE-2026-35655 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete Moderate
CVE-2026-35637 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
CVE-2026-35652 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status Moderate
GHSA-ppwq-6v66-5m6j was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation Moderate
CVE-2026-34505 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths Moderate
GHSA-f8r2-vg7x-gh8m was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu reaction events could bypass group authorization and mention gating Moderate
GHSA-m69h-jm2f-2pv8 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw's Zalouser allowlist authorization matched mutable group names by default Moderate
GHSA-f5mf-3r52-r83w was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database