GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,821 advisories
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
Moderate
CVE-2026-34595
was published
for
parse-server
(npm)
Apr 1, 2026
Parse Server has a session field immutability bypass via falsy-value guard
Moderate
CVE-2026-34574
was published
for
parse-server
(npm)
Apr 1, 2026
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
Moderate
CVE-2026-33578
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
Moderate
CVE-2026-33577
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication
Moderate
GHSA-9528-x887-j2fp
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement
Moderate
GHSA-jp4j-q5fc-58gv
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Moderate
GHSA-m866-6qv5-p2fg
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades
Moderate
GHSA-f44p-c7w9-7xr7
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
Moderate
GHSA-qf48-qfv4-jjm9
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Zalo channel downloads media before sender authorization
Moderate
CVE-2026-33576
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy
Moderate
GHSA-39mp-545q-w789
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement
Moderate
GHSA-vqvg-86cc-cg83
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
Moderate
GHSA-68f8-9mhj-h2mp
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`
Moderate
GHSA-3298-56p6-rpw2
was published
for
openclaw
(npm)
Mar 30, 2026
GraphQL API endpoint ignores CORS origin restriction
Moderate
CVE-2026-34373
was published
for
parse-server
(npm)
Mar 30, 2026
OpenClaw has ACP CLI approval prompt ANSI escape sequence injection
Moderate
GHSA-4hmj-39m8-jwc7
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Moderate
GHSA-j4c9-w69r-cw33
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
Moderate
GHSA-mf5g-6r6f-ghhm
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Moderate
GHSA-rf6h-5gpw-qrgq
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing
Moderate
GHSA-77w2-crqv-cmv3
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
Moderate
GHSA-3h52-cx59-c456
was published
for
openclaw
(npm)
Mar 29, 2026
ProTip!
Advisories are also available from the
GraphQL API