GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
12 advisories
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
High
GHSA-g75x-8qqm-2vxp
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
Moderate
GHSA-f8mp-vj46-cq8v
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode
Moderate
GHSA-qhrr-grqp-6x2g
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
High
GHSA-q399-23r3-hfx4
was published
for
openclaw
(npm)
Mar 2, 2026
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
Moderate
CVE-2026-23888
was published
for
pnpm
(npm)
Jan 26, 2026
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Moderate
CVE-2024-53866
was published
for
pnpm
(npm)
Dec 10, 2024
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)
High
CVE-2024-27303
was published
for
app-builder-lib
(npm)
Mar 4, 2024
ProTip!
Advisories are also available from the
GraphQL API