GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
23 advisories
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Moderate
GHSA-5m9r-p9g7-679c
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths
Moderate
GHSA-f8r2-vg7x-gh8m
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Feishu reaction events could bypass group authorization and mention gating
Moderate
GHSA-m69h-jm2f-2pv8
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw's Zalouser allowlist authorization matched mutable group names by default
Moderate
GHSA-f5mf-3r52-r83w
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists
Moderate
GHSA-9vvh-2768-c8vp
was published
for
openclaw
(npm)
Mar 13, 2026
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation
Moderate
GHSA-4cm8-xpfv-jv6f
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink
High
CVE-2026-32232
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
High
CVE-2026-32231
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
Moderate
GHSA-g7cr-9h7q-4qxq
was published
for
openclaw
(npm)
Mar 12, 2026
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots
Moderate
GHSA-j425-whc4-4jgc
was published
for
openclaw
(npm)
Mar 9, 2026
zeptoclaw has Shell allowlist-blocklist bypass via command/argument injection and file name wildcards
Critical
GHSA-5wp8-q9mx-8jx8
was published
for
zeptoclaw
(Rust)
Mar 5, 2026
zeptoclaw has Android device shell blocklist bypass via argument permutation
High
GHSA-hhjv-jq77-cmvx
was published
for
zeptoclaw
(Rust)
Mar 5, 2026
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP
Moderate
GHSA-8cp7-rp8r-mg77
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw has a IPv6 multicast SSRF classifier bypass
Moderate
GHSA-h97f-6pqj-q452
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Moderate
GHSA-5mx2-2mgw-x8rm
was published
for
openclaw/openclaw
(npm)
Mar 3, 2026
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
High
GHSA-x9cf-3w63-rpq9
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
High
GHSA-mwxv-35wr-4vvj
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
Moderate
GHSA-hff7-ccv5-52f8
was published
for
openclaw
(npm)
Mar 3, 2026
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
High
GHSA-97f8-7cmv-76j2
was published
for
picklescan
(pip)
Feb 18, 2026
OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
High
CVE-2026-28451
was published
for
openclaw
(npm)
Feb 18, 2026
OpenClaw has a LFI in BlueBubbles media path handling
High
CVE-2026-29611
was published
for
openclaw
(npm)
Feb 18, 2026
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
High
CVE-2026-26321
was published
for
openclaw
(npm)
Feb 17, 2026
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
High
CVE-2023-49781
was published
for
nocodb
(npm)
May 13, 2024
ProTip!
Advisories are also available from the
GraphQL API