Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

284 advisories

Loading
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API Moderate
CVE-2026-3429 was published for org.keycloak:keycloak-services (Maven) Mar 11, 2026
django-unicorn affected by component state manipulation via unvalidated attribute access Moderate
CVE-2026-31815 was published for django-unicorn (pip) Mar 11, 2026
RinZ27 Credited to RinZ27
Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash Moderate
CVE-2026-2742 was published for com.vaadin:flow-server (Maven) Mar 10, 2026
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions Moderate
GHSA-9q36-67vc-rrwg was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion Moderate
CVE-2026-29061 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Gokapi has privilege escalation with auth token Moderate
CVE-2026-29060 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Forceu Credited to Forceu
Gokapi has Data Leak in Upload Status Stream Moderate
CVE-2026-28682 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images Moderate
GHSA-q6qf-4p5j-r25g was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch Moderate
GHSA-534w-2vm4-89xr was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch Moderate
GHSA-gw85-xp4q-5gp9 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default) Moderate
GHSA-h9xm-j4qg-fvpg was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode Moderate
GHSA-ccg8-46r6-9qgj was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Temporary path handling could write outside OpenClaw temp boundary Moderate
GHSA-33hm-cq8r-wc49 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a sandbox network isolation bypass via docker.network=container:<id> Moderate
GHSA-ww6v-v748-x7g9 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns Moderate
GHSA-p7gr-f84w-hqg5 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
Gradio has an Open Redirect in its OAuth Flow Moderate
CVE-2026-28415 was published for gradio (pip) Mar 1, 2026
logicx24 Credited to logicx24
Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes Moderate
CVE-2026-0871 was published for org.keycloak:keycloak-server-spi-private (Maven) Feb 27, 2026
Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations Moderate
CVE-2026-22728 was published for github.com/bitnami-labs/sealed-secrets (Go) Feb 26, 2026
1seal Credited to 1seal
n8n has an SSO Enforcement Bypass in its Self-Service Settings API Moderate
GHSA-vjf3-2gpj-233v was published for n8n (npm) Feb 26, 2026
stanislavfortaisle Credited to stanislavfortaisle
ImageMagick's Security Policy Bypass through config/policy-secure.xml via "fd handler" leads to stdin/stdout access Moderate
CVE-2026-25966 was published for Magick.NET-Q16-AnyCPU (NuGet) Feb 24, 2026
OpenClaw Telegram allowlist authorization accepted mutable usernames Moderate
CVE-2026-28480 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities Moderate
CVE-2026-26328 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Moderate
CVE-2026-25229 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor Credited to spingARbor
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback Moderate
CVE-2026-28395 was published for openclaw (npm) Feb 17, 2026
qi-scape Credited to qi-scape
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database