Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

33 advisories

Loading
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions Moderate
GHSA-9q36-67vc-rrwg was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images Moderate
GHSA-q6qf-4p5j-r25g was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch Moderate
GHSA-534w-2vm4-89xr was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch Moderate
GHSA-gw85-xp4q-5gp9 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default) Moderate
GHSA-h9xm-j4qg-fvpg was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode Moderate
GHSA-ccg8-46r6-9qgj was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Temporary path handling could write outside OpenClaw temp boundary Moderate
GHSA-33hm-cq8r-wc49 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a sandbox network isolation bypass via docker.network=container:<id> Moderate
GHSA-ww6v-v748-x7g9 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns Moderate
GHSA-p7gr-f84w-hqg5 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
n8n has an SSO Enforcement Bypass in its Self-Service Settings API Moderate
GHSA-vjf3-2gpj-233v was published for n8n (npm) Feb 26, 2026
stanislavfortaisle Credited to stanislavfortaisle
OpenClaw Telegram allowlist authorization accepted mutable usernames Moderate
CVE-2026-28480 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities Moderate
CVE-2026-26328 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback Moderate
CVE-2026-28395 was published for openclaw (npm) Feb 17, 2026
qi-scape Credited to qi-scape
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat Credited to kilkat and JungJoonWoo JungJoonWoo JungJoonWoo
n8n: Webhook Node IP Whitelist Bypass via Partial String Matching Moderate
CVE-2025-68949 was published for n8n (npm) Jan 13, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation Moderate
CVE-2025-66028 was published for @oneuptime/common (npm) Nov 25, 2025
SamirWaleed Credited to SamirWaleed
Directus has Improper Permission Handling on Deleted Fields Moderate
CVE-2025-64746 was published for directus (npm) Nov 14, 2025
beafn28 Credited to beafn28
Vite allows server.fs.deny to be bypassed with .svg or relative paths Moderate
CVE-2025-31486 was published for vite (npm) Apr 4, 2025
HSwift Credited to HSwift, Iuhsssss, kikayli, sw0rd1ight, do9gy-msec, and Onetpaer Iuhsssss Iuhsssss
kikayli kikayli sw0rd1ight sw0rd1ight do9gy-msec do9gy-msec Onetpaer Onetpaer
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query Moderate
CVE-2025-31125 was published for vite (npm) Mar 31, 2025
Iuhsssss Credited to Iuhsssss
Vite bypasses server.fs.deny when using ?raw?? Moderate
CVE-2025-30208 was published for vite (npm) Mar 25, 2025
Ezzer17 Credited to Ezzer17
Directus vulnerable to SSRF Loopback IP filter bypass Moderate
CVE-2024-46990 was published for @directus/api (npm) Sep 18, 2024
r3dpower Credited to r3dpower
Vite's `server.fs.deny` is bypassed when using `?import&raw` Moderate
CVE-2024-45811 was published for vite (npm) Sep 17, 2024
adi1 Credited to adi1
Mattermost Desktop App fails to safeguard screen capture functionality Moderate
CVE-2024-39772 was published for mattermost-desktop (npm) Sep 16, 2024
Ghost's improper authentication allows access to member information and actions Moderate
CVE-2024-43409 was published for @tryghost/portal (npm) Aug 20, 2024
1337Nerd Credited to 1337Nerd
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database