Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,653 advisories

Loading
Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
GHSA-8mr2-f9wf-hcfq was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-rcx4-77x4-hjx5 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
GHSA-vh4c-j2xv-9pv9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress Moderate
GHSA-g839-vp47-wgh8 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse Moderate
GHSA-3r78-rqg8-95gg was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf High
GHSA-9f79-7pw8-3fj8 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class) High
GHSA-rj39-33v7-9xrq was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
GHSA-mxmg-3p7m-2ghr was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
GHSA-vmvw-pwwf-cc2w was published for openclaw (NuGet) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Moderate
GHSA-xh9j-mpc9-2m9p was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows Low
GHSA-cjq8-m7wj-xmq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers Moderate
GHSA-xgwg-m42c-8q62 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication High
GHSA-cxcw-jm67-3wwp was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes High
GHSA-qwmf-95r9-gx9x was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text Moderate
GHSA-w6f4-3v35-qjhj was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks Moderate
GHSA-86jj-29wc-7q2w was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels High
GHSA-xq3g-m3j8-2vmm was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability Moderate
GHSA-q94v-v6m9-jhq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host Moderate
GHSA-3p2x-hjxj-c7rv was published for openclaw (npm) Mar 21, 2026 withdrawn
NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter Moderate
CVE-2026-3864 was published for github.com/kubernetes-csi/csi-driver-nfs (Go) Mar 21, 2026
MindSQL is vulnerable to Code Injection through its ask_db function Low
CVE-2026-4506 was published for mindsql (pip) Mar 21, 2026
AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writable PHP) High
CVE-2026-33513 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
AVideo has an unauthenticated decrypt oracle leaking any ciphertext High
GHSA-mwjc-5j4x-r686 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic Moderate
GHSA-pwjx-qhcg-rvj4 was published for rustls-webpki (Rust) Mar 20, 2026
1seal Credited to 1seal and ctz ctz ctz
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration High
CVE-2026-33509 was published for pyload-ng (pip) Mar 20, 2026
restriction Credited to restriction
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database