Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,981
Maven
5,000+
npm
4,656
NuGet
788
pip
4,321
Pub
12
RubyGems
986
Rust
1,133
Swift
49
Unreviewed advisories
All unreviewed
5,000+

26,098 advisories

Loading
OpenClaw skills.status could leak secrets to operator.read clients Moderate
CVE-2026-26326 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals High
CVE-2026-26325 was published for openclaw (npm) Feb 17, 2026
christos-eth
Credited to christos-eth
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) High
CVE-2026-26324 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
OpenClaw Gateway tool allowed unrestricted gatewayUrl override High
CVE-2026-26322 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension High
CVE-2026-26321 was published for openclaw (npm) Feb 17, 2026
zpbrent
Credited to zpbrent
OpenClaw macOS deep link confirmation truncation can conceal executed agent message High
CVE-2026-26320 was published for openclaw (npm) Feb 17, 2026
Cillian-Collins
Credited to Cillian-Collins
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests High
CVE-2026-26319 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
OpenClaw has a Path Traversal in Plugin Installation Critical
GHSA-qrq5-wjgg-rvqw was published for openclaw (npm) Feb 17, 2026
logicx24
Credited to logicx24
OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve High
GHSA-mqpw-46fh-299h was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains High
GHSA-7vwx-582j-j332 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline High
GHSA-33rq-m5x2-fvgf was published for openclaw (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching) Critical
GHSA-4rj2-gpmh-qq5x was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
MegaManSec
Credited to simecek, stanislavfortaisle, and MegaManSec
Nextcloud Talk allowlist bypass via actor.name display name spoofing Critical
GHSA-r5h9-vjqc-hq3r was published for @openclaw/nextcloud-talk (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
GHSA-fhvm-j76f-qmjv was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching Moderate
GHSA-rmxw-jxxx-4cpc was published for openclaw (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust High
CVE-2026-26316 was published for @openclaw/bluebubbles (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations Moderate
GHSA-3m3q-x3gj-f79x was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t
Credited to 0x5t
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers Low
GHSA-g27f-9qjv-22pm was published for openclaw (npm) Feb 17, 2026
pkerkhofs
Credited to pkerkhofs
OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering Moderate
GHSA-mv9j-6xhh-g383 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw affected by SSRF via attachment/media URL hydration Moderate
GHSA-wfp2-v9c7-fh79 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) High
CVE-2026-26278 was published for fast-xml-parser (npm) Feb 17, 2026
ByamB4
Credited to ByamB4
Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass High
CVE-2026-26275 was published for httpsig-hyper (Rust) Feb 17, 2026
divi255
Credited to divi255
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide High
CVE-2026-26267 was published for soroban-sdk-macros (Rust) Feb 17, 2026
leighmcculloch mootz12
nan-zellic dmkozh
Credited to leighmcculloch, mootz12, nan-zellic, and dmkozh
emp3r0r Affected by Concurrent Map Access DoS (panic/crash) High
CVE-2026-26201 was published for github.com/jm33-m0/emp3r0r/core (Go) Feb 17, 2026
xtle0o0
Credited to xtle0o0
Skill-scanner Unsecured Network Binding Vulnerability Moderate
CVE-2026-26057 was published for cisco-ai-skill-scanner (pip) Feb 17, 2026
RichardoC vineethsai7
Credited to RichardoC and vineethsai7
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database