Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,155
Maven
5,000+
npm
5,000+
NuGet
861
pip
4,452
Pub
12
RubyGems
991
Rust
1,180
Swift
50
Unreviewed advisories
All unreviewed
5,000+

320,339 advisories

Loading
Locutus vulnerable to RCE via unsanitized input in create_function() Critical
CVE-2026-32304 was published for locutus (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
SM9 Infinity-Point Ciphertext Forgery Vulnerability Critical
CVE-2026-32614 was published for github.com/emmansun/gmsm (Go) Mar 13, 2026
Cameudis Credited to Cameudis and sunyxedu sunyxedu sunyxedu
pretix unsafely evaluates variables in emails High
CVE-2026-2415 was published for pretix (pip) Feb 16, 2026
GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution High
CVE-2026-29783 was published for @github/copilot (npm) Mar 6, 2026
OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode Low
GHSA-qvr7-g57c-mrc7 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent` Moderate
GHSA-jf6w-m8jw-jfxc was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity High
GHSA-qc36-x95h-7j53 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions Moderate
GHSA-8jhh-jcqg-mj5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv High
GHSA-rw39-5899-8mxp was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
GHSA-xf99-j42q-5w5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries High
GHSA-4w7m-58cg-cmff was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE Critical
GHSA-4jpw-hj22-2xmc was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
GHSA-xw77-45gv-p728 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox `writeFile` commit could race outside the validated path Moderate
GHSA-xvx8-77m6-gwg6 was published for openclaw (npm) Mar 13, 2026
qi-scape Credited to qi-scape
flatted vulnerable to unbounded recursion DoS in parse() revive phase High
CVE-2026-32141 was published for flatted (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Poseidon V1 variable-length input collision via implicit zero-padding High
CVE-2026-32129 was published for soroban-poseidon (Rust) Mar 13, 2026
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite High
CVE-2026-32116 was published for magic-wormhole (pip) Mar 13, 2026
ikmckenz Credited to ikmckenz
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution Critical
CVE-2026-31886 was published for github.com/dagu-org/dagu (Go) Mar 13, 2026
NucleiAv Credited to NucleiAv
An improper certificate validation vulnerability has been reported to affect Video Station. If an... Low Unreviewed
CVE-2024-14024 was published Mar 11, 2026
An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains... Low Unreviewed
CVE-2024-14025 was published Mar 11, 2026
Emails sent by pretix can utilize placeholders that will be filled with customer data. For... High Unreviewed
CVE-2026-2451 was published Feb 16, 2026
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
SandboxJS affected by a Sandbox Escape Critical
CVE-2026-26954 was published for @nyariv/sandboxjs (npm) Mar 13, 2026
c0rydoras Credited to c0rydoras
Black: Arbitrary file writes from unsanitized user input in cache file name High
CVE-2026-32274 was published for black (pip) Mar 12, 2026
fg0x0 Credited to fg0x0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database