Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

13 advisories

Loading
OpenClaw: Active Memory write scope could mutate global config Moderate
CVE-2026-53847 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes Low
GHSA-h9h6-pwqv-j9hv was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Active Memory write scope could mutate global config Moderate
GHSA-58wc-8wrv-xp9j was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints Low
GHSA-w626-296m-8f85 was published for openclaw (npm) May 11, 2026 withdrawn
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools High
CVE-2026-42433 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence Moderate
GHSA-f3h5-h452-vp3j was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands Moderate
CVE-2026-43568 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context Moderate
CVE-2026-43535 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
GHSA-phgf-3849-rgjq was published for openclaw (npm) Mar 31, 2026 withdrawn
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` Moderate
CVE-2026-35645 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers High
CVE-2026-35669 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt High
GHSA-7ff8-xjh3-mgh6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
AWS CDK EKS overly permissive trust policies Moderate
CVE-2023-35165 was published for @aws-cdk/aws-eks (npm) Jun 19, 2023
twelvemo Credited to twelvemo and stefreak stefreak stefreak
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database