GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,740 advisories
sanitize-html Information Exposure vulnerability
Moderate
CVE-2024-21501
was published
for
sanitize-html
(npm)
Feb 24, 2024
Elysia Cookie Value Prototype Pollution
Moderate
CVE-2026-31865
was published
for
elysia
(npm)
Mar 17, 2026
OpenClaw's avatar symlink traversal can expose out-of-workspace local files
Moderate
CVE-2026-32024
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
Moderate
CVE-2026-31998
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has allowlist exec-guard bypass via env -S
Moderate
CVE-2026-31992
was published
for
openclaw
(npm)
Mar 3, 2026
h3 has an observable timing discrepancy in basic auth utils
Moderate
CVE-2026-33129
was published
for
h3
(npm)
Mar 18, 2026
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
Moderate
CVE-2026-33060
was published
for
@aborruso/ckan-mcp-server
(npm)
Mar 18, 2026
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
Moderate
CVE-2026-32040
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
Moderate
CVE-2026-32002
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
Moderate
CVE-2026-32001
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
Moderate
CVE-2026-32029
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
Moderate
CVE-2026-32025
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
Moderate
CVE-2026-32017
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification
Moderate
CVE-2026-32004
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Moderate
CVE-2026-32028
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS
Moderate
CVE-2026-32011
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw DM pairing-store identities could satisfy group allowlist authorization
Moderate
CVE-2026-32027
was published
for
openclaw
(npm)
Mar 3, 2026
Temporary path handling could write outside OpenClaw temp boundary
Moderate
CVE-2026-32026
was published
for
openclaw
(npm)
Mar 3, 2026
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)
Moderate
GHSA-4hxc-9384-m385
was published
for
h3
(npm)
Mar 20, 2026
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`
Moderate
GHSA-72gr-qfp7-vwhw
was published
for
h3
(npm)
Mar 20, 2026
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
Moderate
CVE-2026-33429
was published
for
parse-server
(npm)
Mar 20, 2026
ProTip!
Advisories are also available from the
GraphQL API