Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

13 advisories

Loading
Automatic room upgrade handling can be used maliciously to bridge a room non-consentually Moderate
CVE-2021-32659 was published for matrix-appservice-bridge (npm) Jun 21, 2021
OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering Moderate
CVE-2026-28450 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled Moderate
CVE-2026-29606 was published for openclaw (npm) Feb 18, 2026
p80n-sec Credited to p80n-sec
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
CVE-2026-32896 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint Moderate
GHSA-pfv7-rr5m-qmv6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw Loopback CDP probe can leak Gateway token to local listener Moderate
CVE-2026-22174 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Parse Server's GraphQL WebSocket endpoint bypasses security middleware Moderate
CVE-2026-32594 was published for parse-server (npm) Mar 13, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
GHSA-vh4c-j2xv-9pv9 was published for openclaw (npm) Mar 21, 2026 withdrawn
@grackle-ai/powerline Runs Without Authentication by Default Moderate
GHSA-xq7h-vwjp-5vrh was published for @grackle-ai/powerline (npm) Mar 25, 2026
Signal K Server: Unauthenticated Source Priorities Manipulation Moderate
CVE-2026-33951 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request Moderate
CVE-2026-56270 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials Moderate
GHSA-92jp-89mq-4374 was published for openclaw (npm) Apr 17, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass Moderate
CVE-2026-45577 was published for neotoma (npm) May 18, 2026
ProTip! Advisories are also available from the GraphQL API