Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

39 advisories

Loading
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses Moderate
GHSA-rm5c-4rmf-vvhw was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape Moderate
CVE-2026-34452 was published for anthropic (pip) Apr 1, 2026
Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path Moderate
GHSA-xxj4-96ph-g6j6 was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution Moderate
GHSA-wwrj-437c-ppq4 was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path Moderate
GHSA-6q2v-vfwp-pvwh was published for openclaw (npm) Mar 29, 2026 withdrawn
OpenClaw may have stale policy enforcement for queued node actions Moderate
GHSA-wj55-88gf-x564 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host Moderate
GHSA-3p2x-hjxj-c7rv was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind Moderate
GHSA-q86m-697p-h7fh was published for openclaw (npm) Mar 19, 2026 withdrawn
OpenClaw: Sandbox `writeFile` commit could race outside the validated path Moderate
CVE-2026-32977 was published for openclaw (npm) Mar 13, 2026
qi-scape Credited to qi-scape
OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path Moderate
CVE-2026-33574 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution Moderate
CVE-2026-32921 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows Moderate
CVE-2026-22180 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured Moderate
CVE-2026-22181 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host Moderate
CVE-2026-32043 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit Moderate
CVE-2026-27128 was published for craftcms/cms (Composer) Feb 23, 2026
vitalysim Credited to vitalysim
Indico has Server-Side Request Forgery (SSRF) in multiple places Moderate
CVE-2026-25738 was published for indico (pip) Feb 17, 2026
rahulgovind Credited to rahulgovind, inkz, and yueyueL inkz inkz
yueyueL yueyueL
miniserve affected by a TOCTOU and symlink race vulnerability Moderate
CVE-2025-67124 was published for miniserve (Rust) Jan 23, 2026
Outray cli is vulnerable to race conditions in tunnels creation Moderate
CVE-2026-22820 was published for outray (npm) Jan 13, 2026
gr33pp Credited to gr33pp and SENSEiXENUS SENSEiXENUS SENSEiXENUS
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock Moderate
CVE-2026-22701 was published for filelock (pip) Jan 13, 2026
tsigouris007 Credited to tsigouris007
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU) Moderate
CVE-2025-69211 was published for @nestjs/platform-fastify (npm) Dec 30, 2025
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation Moderate
CVE-2025-68146 was published for filelock (pip) Dec 16, 2025
tsigouris007 Credited to tsigouris007 and gaborbernat gaborbernat gaborbernat
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Moderate
CVE-2025-49558 was published for magento/community-edition (Composer) Aug 12, 2025
Rack session gets restored after deletion Moderate
CVE-2025-46336 was published for rack-session (RubyGems) May 8, 2025
stengineering0 Credited to stengineering0, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack session gets restored after deletion Moderate
CVE-2025-32441 was published for rack (RubyGems) May 8, 2025
stengineering0 Credited to stengineering0, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens Moderate
CVE-2025-26620 was published for Duende.AccessTokenManagement (NuGet) Feb 19, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database