Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

306 advisories

Loading
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades Moderate
GHSA-f44p-c7w9-7xr7 was published for openclaw (npm) Mar 31, 2026
topsec-bunney Credited to topsec-bunney
OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant) Moderate
GHSA-w6m8-cqvj-pg5v was published for openclaw (npm) Mar 30, 2026
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation Moderate
GHSA-3h52-cx59-c456 was published for openclaw (npm) Mar 29, 2026
tdjackey Credited to tdjackey
path-to-regexp vulnerable to Denial of Service via sequential optional groups High
CVE-2026-4926 was published for path-to-regexp (npm) Mar 27, 2026
uug4na Credited to uug4na, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects Moderate
CVE-2026-34043 was published for serialize-javascript (npm) Mar 27, 2026
TomerAberbach Credited to TomerAberbach
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling Moderate
GHSA-rm59-992w-x2mv was published for openclaw (npm) Mar 26, 2026
SEORY0 Credited to SEORY0
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure High
GHSA-4qwc-c7g9-4xcw was published for openclaw (npm) Mar 26, 2026
brace-expansion: Zero-step sequence causes process hang and memory exhaustion Moderate
CVE-2026-33750 was published for brace-expansion (npm) Mar 26, 2026
subhashdasyam Credited to subhashdasyam, katzj, and navgarcha katzj katzj
navgarcha navgarcha
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern High
CVE-2026-33287 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash High
CVE-2026-33285 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers High
CVE-2026-33538 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service Moderate
GHSA-q5pr-72pq-83v3 was published for h3 (npm) Mar 23, 2026
offset Credited to offset
Next.js: Unbounded next/image disk cache growth can exhaust storage Moderate
CVE-2026-27980 was published for next (npm) Mar 17, 2026
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
CVE-2026-32980 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry Moderate
CVE-2026-32630 was published for file-type (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS) Moderate
GHSA-77hf-7fqf-f227 was published for openclaw (npm) Mar 3, 2026
GCXWLP Credited to GCXWLP
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS Moderate
CVE-2026-32011 was published for openclaw (npm) Mar 3, 2026
GCXWLP Credited to GCXWLP
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure High
CVE-2026-32062 was published for @openclaw/voice-call (npm) Mar 2, 2026
jiseoung Credited to jiseoung
OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels High
CVE-2026-32049 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS) Moderate
CVE-2026-32066 was published for openclaw (npm) Mar 2, 2026
Somet2mes Credited to Somet2mes and migraine-sudo migraine-sudo migraine-sudo
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs Moderate
CVE-2026-27576 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw has a Web Fetch DoS via unbounded response parsing Moderate
CVE-2026-28394 was published for openclaw (npm) Feb 19, 2026
xuemian168 Credited to xuemian168 and ShangzhiXu ShangzhiXu ShangzhiXu
OpenClaw affected by denial of service via unbounded webhook request body buffering High
CVE-2026-28478 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) Moderate
CVE-2026-28452 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks Moderate
CVE-2026-29612 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database