Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,980
Maven
5,000+
npm
4,634
NuGet
788
pip
4,321
Pub
12
RubyGems
986
Rust
1,131
Swift
49
Unreviewed advisories
All unreviewed
5,000+

26,073 advisories

Loading
Skill-scanner Unsecured Network Binding Vulnerability Moderate
CVE-2026-26057 was published for cisco-ai-skill-scanner (pip) Feb 17, 2026
RichardoC vineethsai7
Credited to RichardoC and vineethsai7
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization Critical
CVE-2026-26016 was published for pterodactyl/panel (Composer) Feb 17, 2026
duddnr0615k DaneEveritt
Credited to duddnr0615k and DaneEveritt
Indico Affected by Cross-Site-Scripting via material uploads Moderate
CVE-2026-25739 was published for indico (pip) Feb 17, 2026
dreyercito
Credited to dreyercito
Echo has a Windows path traversal via backslash in middleware.Static default filesystem Moderate
CVE-2026-25766 was published for github.com/labstack/echo/v5 (Go) Feb 17, 2026
shblue21 aldas
vishr
Credited to shblue21, aldas, and vishr
Indico has Server-Side Request Forgery (SSRF) in multiple places Moderate
CVE-2026-25738 was published for indico (pip) Feb 17, 2026
rahulgovind inkz
yueyueL
Credited to rahulgovind, inkz, and yueyueL
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href Moderate
CVE-2026-25500 was published for rack (RubyGems) Feb 17, 2026
thesmartshadow jeremyevans
ioquatix
Credited to thesmartshadow, jeremyevans, and ioquatix
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
Unauthenticated File Upload in Gogs Moderate
CVE-2026-25242 was published for gogs.io/gogs (Go) Feb 17, 2026
Gogs has a Protected Branch Deletion Bypass in Web Interface High
CVE-2026-25232 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor
Credited to spingARbor
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Moderate
CVE-2026-25229 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor
Credited to spingARbor
Gogs Allows Cross-Repository Comment Deletion via DeleteComment Moderate
CVE-2026-25120 was published for gogs.io/gogs (Go) Feb 17, 2026
tenbbughunters
Credited to tenbbughunters
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions Low
CVE-2026-24764 was published for openclaw (npm) Feb 17, 2026
KonstantinMirin
Credited to KonstantinMirin
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change High
GHSA-hr7j-63v7-vj7g was published for github.com/pterodactyl/wings (Composer) Feb 17, 2026
KTOymep
Credited to KTOymep
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust) Moderate
GHSA-xc7w-v5x6-cc87 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw affected by SSRF in Image Tool Remote Fetch High
GHSA-56f2-hvwg-5743 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback Moderate
GHSA-qw99-grcx-4pvm was published for openclaw (npm) Feb 17, 2026
qi-scape
Credited to qi-scape
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes High
GHSA-3hcm-ggvf-rch5 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access High
GHSA-mr32-vwc2-5j6h was published for moltbot (npm) Feb 17, 2026
johnatzeropath LeftenantZero
yueyueL
Credited to johnatzeropath, LeftenantZero, and yueyueL
OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating High
GHSA-qj77-c3c8-9c3q was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw has an arbitrary transcript path file write via gateway sessionFile High
GHSA-64qx-vpxx-mvqf was published for openclaw (npm) Feb 17, 2026
tubadeligoz
Credited to tubadeligoz
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing High
GHSA-hv93-r4j3-q65f was published for openclaw (npm) Feb 17, 2026
alpernae
Credited to alpernae
Weblate has an argument injection in management console Moderate
CVE-2026-24126 was published for Weblate (pip) Feb 17, 2026
alexb616 nijel
Credited to alexb616 and nijel
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated Critical
GHSA-rv39-79c4-7459 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
Rack has a Directory Traversal via Rack:Directory High
CVE-2026-22860 was published for rack (RubyGems) Feb 17, 2026
Masamuneee jeremyevans
ioquatix
Credited to Masamuneee, jeremyevans, and ioquatix
BSV Blockchain SDK has an Authentication Signature Data Preparation Vulnerability Moderate
CVE-2025-69287 was published for @bsv/sdk (npm) Feb 17, 2026
F1r3Hydr4nt
Credited to F1r3Hydr4nt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database