GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,740 advisories
OpenClaw's avatar symlink traversal can expose out-of-workspace local files
Moderate
CVE-2026-32024
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
Moderate
CVE-2026-31998
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has allowlist exec-guard bypass via env -S
Moderate
CVE-2026-31992
was published
for
openclaw
(npm)
Mar 3, 2026
h3 has an observable timing discrepancy in basic auth utils
Moderate
CVE-2026-33129
was published
for
h3
(npm)
Mar 18, 2026
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
Moderate
CVE-2026-33060
was published
for
@aborruso/ckan-mcp-server
(npm)
Mar 18, 2026
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
Moderate
CVE-2026-32040
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
Moderate
CVE-2026-32002
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
Moderate
CVE-2026-32001
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
Moderate
CVE-2026-32029
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
Moderate
CVE-2026-32025
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
Moderate
CVE-2026-32017
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification
Moderate
CVE-2026-32004
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Moderate
CVE-2026-32028
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
Moderate
CVE-2026-32011
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw DM pairing-store identities could satisfy group allowlist authorization
Moderate
CVE-2026-32027
was published
for
openclaw
(npm)
Mar 3, 2026
Temporary path handling could write outside OpenClaw temp boundary
Moderate
CVE-2026-32026
was published
for
openclaw
(npm)
Mar 3, 2026
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
Moderate
GHSA-4hxc-9384-m385
was published
for
h3
(npm)
Mar 20, 2026
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`
Moderate
GHSA-72gr-qfp7-vwhw
was published
for
h3
(npm)
Mar 20, 2026
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
Moderate
CVE-2026-33429
was published
for
parse-server
(npm)
Mar 20, 2026
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled
Moderate
GHSA-pgx6-7jcq-2qff
was published
for
@pdfme/common
(npm)
Mar 20, 2026
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel
Moderate
GHSA-xgx4-2wgv-4jhm
was published
for
@pdfme/schemas
(npm)
Mar 20, 2026
ProTip!
Advisories are also available from the
GraphQL API