Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

376 advisories

Loading
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks Low
GHSA-j4c5-89f5-f3pm was published for openclaw (npm) Apr 25, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Paired-device pairing actions were not limited to the caller device Low
GHSA-xrq9-jm7v-g9h7 was published for openclaw (npm) Apr 25, 2026
Hinotoi-agent Credited to Hinotoi-agent
OpenClaw: QQBot direct media upload skipped URL SSRF validation Low
GHSA-c4qg-j8jg-42q5 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
GHSA-57r2-h2wj-g887 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization Low
GHSA-v8qf-fr4g-28p2 was published for openclaw (npm) Apr 25, 2026
Kherrisan Credited to Kherrisan
Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) Low
CVE-2026-41321 was published for @astrojs/cloudflare (npm) Apr 23, 2026
kodareef5 Credited to kodareef5
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks Low
GHSA-gc9r-867r-j85f was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay Low
GHSA-r77c-2cmr-7p47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: TOCTOU read in exec script preflight Low
GHSA-gj9q-8w99-mp8j was published for openclaw (npm) Apr 16, 2026
kikayli Credited to kikayli
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint Low
CVE-2026-33877 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
DbGate has cross site scripting via the SVG Icon String Handler component Low
CVE-2026-6216 was published for dbgate-web (npm) Apr 13, 2026
unhead: Streaming SSR `streamKey` injected into inline script without identifier validation Low
GHSA-x7mm-9vvv-64w8 was published for unhead (npm) Apr 10, 2026
Jvr2022 Credited to Jvr2022
@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler Low
GHSA-59xv-588h-2vmm was published for @saltcorn/data (npm) Apr 10, 2026
zulloper Credited to zulloper
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts Low
CVE-2026-6011 was published for openclaw (npm) Apr 10, 2026
Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
GHSA-5f7h-p83x-5vc2 was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
GHSA-j42q-r6qx-xrfp was published for openclaw (npm) Apr 10, 2026 withdrawn
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) Low
GHSA-cm8v-2vh9-cxf3 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` Low
GHSA-4f8g-77mw-3rxc was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) Low
GHSA-5fc7-f62m-8983 was published for openclaw (npm) Apr 9, 2026
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths Low
GHSA-25wv-8phj-8p7r was published for openclaw (npm) Apr 9, 2026
Telecaster2147 Credited to Telecaster2147
awwaiid mcp-server-taskwarrior vulnerable to command injection Low
CVE-2026-5833 was published for mcp-server-taskwarrior (npm) Apr 9, 2026
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter Low
CVE-2026-34166 was published for liquidjs (npm) Apr 8, 2026
offset Credited to offset
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets Low
GHSA-fqrj-m88p-qf3v was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send Low
GHSA-767m-xrhc-fxm7 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
Electron: Crash in clipboard.readImage() on malformed clipboard image data Low
CVE-2026-34781 was published for electron (npm) Apr 7, 2026
frostb1ten Credited to frostb1ten
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database