GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
32 advisories
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure
Moderate
CVE-2026-42227
was published
for
n8n
(npm)
Apr 29, 2026
OpenClaw: Hook mapping templates could bypass hook session-key opt-in
Moderate
CVE-2026-45002
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
Moderate
CVE-2026-41372
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist
Moderate
CVE-2026-41406
was published
for
openclaw
(npm)
Apr 2, 2026
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
Moderate
CVE-2026-35657
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
Moderate
CVE-2026-35670
was published
for
openclaw
(npm)
Mar 26, 2026
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Moderate
CVE-2026-33724
was published
for
n8n
(npm)
Mar 25, 2026
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions
Moderate
GHSA-8jhh-jcqg-mj5p
was published
for
openclaw
(npm)
Mar 13, 2026
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings
Moderate
CVE-2026-32104
was published
for
studiocms
(npm)
Mar 12, 2026
StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation
Moderate
CVE-2026-32103
was published
for
studiocms
(npm)
Mar 12, 2026
OneUptime has WhatsApp Resend Verification Authorization Bypass
Moderate
CVE-2026-30959
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping
Moderate
GHSA-pjvx-rx66-r3fg
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots
Moderate
GHSA-j425-whc4-4jgc
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization
Moderate
GHSA-f6h3-846h-2r8w
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
Moderate
CVE-2026-32039
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
Moderate
CVE-2026-32021
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption
Moderate
GHSA-j26j-7qc4-3mrf
was published
for
openclaw
(npm)
Mar 3, 2026
NocoDB Missing Ownership Validation in MCP Token Operations
Moderate
CVE-2026-28361
was published
for
nocodb
(npm)
Mar 2, 2026
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
Moderate
CVE-2026-32898
was published
for
openclaw
(npm)
Feb 27, 2026
payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)
Moderate
CVE-2026-25574
was published
for
payload
(npm)
Feb 5, 2026
StudioCMS has Authorization Bypass Through User-Controlled Key
Moderate
CVE-2026-24134
was published
for
studiocms
(npm)
Jan 27, 2026
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
Moderate
CVE-2025-69202
was published
for
axios-cache-interceptor
(npm)
Dec 30, 2025
ProTip!
Advisories are also available from the
GraphQL API