Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
2,983
Maven
5,000+
npm
4,677
NuGet
788
pip
4,321
Pub
12
RubyGems
986
Rust
1,133
Swift
49
Unreviewed advisories
All unreviewed
5,000+

26,123 advisories

Loading
opa-envoy-plugin has a Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path High
CVE-2026-26205 was published for github.com/open-policy-agent/opa-envoy-plugin (Go) Feb 18, 2026
thevilledev
Credited to thevilledev
Trivy Action has a script injection via sourced env file in composite action Moderate
CVE-2026-26189 was published for aquasecurity/trivy-action (GitHub Actions) Feb 18, 2026
1seal DmitriyLewen
simar7
Credited to 1seal, DmitriyLewen, and simar7
OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway High
GHSA-v6c6-vqqg-w888 was published for openclaw (npm) Feb 18, 2026
222n5
Credited to 222n5
OpenClaw's unsanitized session ID enables path traversal in transcript file operations Moderate
GHSA-5xfq-5mr7-426q was published for openclaw (npm) Feb 18, 2026
akhmittra
Credited to akhmittra
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction High
CVE-2026-26960 was published for tar (npm) Feb 18, 2026
scumfrog
Credited to scumfrog
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker
Credited to anbecker
Libredesk has a SSRF Vulnerability in Webhooks Moderate
CVE-2026-26957 was published for github.com/abhinavxd/libredesk (Go) Feb 18, 2026
PlayerIUnknown
Credited to PlayerIUnknown
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides) High
GHSA-jqpq-mgvm-f9r6 was published for openclaw (npm) Feb 18, 2026
akhmittra
Credited to akhmittra
OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication Moderate
GHSA-pg2v-8xwh-qhcc was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled Moderate
GHSA-c37p-4qqg-3p76 was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw Telegram allowlist authorization accepted mutable usernames Moderate
GHSA-mj5r-hh7j-4gxf was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting High
GHSA-rq6g-px6m-c248 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by denial of service via unbounded webhook request body buffering High
GHSA-q447-rj3r-2cgh was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) Moderate
GHSA-h89v-j3x9-8wqj was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks Moderate
GHSA-w2cg-vxx6-5xjg was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by denial of service via unbounded URL-backed media fetch High
GHSA-j27p-hq53-9wgc was published for openclaw (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands Moderate
GHSA-v773-r54f-q32w was published for openclaw (npm) Feb 18, 2026
christos-eth
Credited to christos-eth
OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion Moderate
GHSA-xvhf-x56f-2hpp was published for openclaw (npm) Feb 18, 2026
christos-eth
Credited to christos-eth
OpenClaw has a command injection in maintainer clawtributors updater High
CVE-2026-26323 was published for openclaw (npm) Feb 18, 2026
scanleale MegaManSec
Credited to scanleale and MegaManSec
OpenClaw has a path traversal in browser upload allows local file read High
CVE-2026-26329 was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities Moderate
CVE-2026-26328 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw allows unauthenticated discovery TXT records could steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch Low
GHSA-chm2-m3w2-wcxm was published for clawdbot (npm) Feb 17, 2026
vincentkoc
Credited to vincentkoc
OpenClaw skills.status could leak secrets to operator.read clients Moderate
CVE-2026-26326 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database