Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

2,007 advisories

Loading
OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection High
GHSA-g2f6-pwvx-r275 was published for openclaw (npm) Mar 16, 2026
lintsinghua Credited to lintsinghua
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
GHSA-jq3f-vjww-8rq7 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval High
GHSA-63f5-hhc7-cx6p was published for openclaw (npm) Mar 16, 2026
tdjackey Credited to tdjackey
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries High
CVE-2026-32728 was published for parse-server (npm) Mar 16, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Uncontrolled memory allocation via crafted SVG dimensions in @dicebear/converter High
CVE-2026-29112 was published for @dicebear/converter (npm) Mar 16, 2026
maru1009 Credited to maru1009
@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script High
CVE-2026-4092 was published for @google/clasp (npm) Mar 13, 2026
g0w6y Credited to g0w6y
Angular vulnerable to XSS in i18n attribute bindings High
CVE-2026-32635 was published for @angular/compiler (npm) Mar 13, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, securityMB, josephperrott, crisbeto, and hdtmccallie AndrewKushnir AndrewKushnir
securityMB securityMB josephperrott josephperrott crisbeto crisbeto hdtmccallie hdtmccallie
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
GHSA-g353-mgv3-8pcj was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Gateway `agent` calls could override the workspace boundary High
GHSA-2rqg-gjgv-84jm was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state High
GHSA-wcxr-59v9-rxr8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories High
GHSA-99qw-6mr3-36qr was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces High
GHSA-r7vr-gr74-94p8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes High
GHSA-vmhq-cqm9-6p7q was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression High
CVE-2026-1526 was published for undici (npm) Mar 13, 2026
HO-9 Credited to HO-9, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation High
CVE-2026-2229 was published for undici (npm) Mar 13, 2026
aisle-research Credited to aisle-research, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client High
CVE-2026-1528 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") High
CVE-2026-32308 was published for oneuptime (npm) Mar 13, 2026
restriction Credited to restriction
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity High
GHSA-qc36-x95h-7j53 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv High
GHSA-rw39-5899-8mxp was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
GHSA-xf99-j42q-5w5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries High
GHSA-4w7m-58cg-cmff was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
flatted vulnerable to unbounded recursion DoS in parse() revive phase High
CVE-2026-32141 was published for flatted (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode High
CVE-2026-32302 was published for openclaw (npm) Mar 12, 2026
yianworks Credited to yianworks
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database