GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,215 advisories
fetch(url) leads to a memory leak in undici
Moderate
CVE-2024-24750
was published
for
undici
(npm)
Feb 16, 2024
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR
Moderate
CVE-2026-33397
was published
for
@angular/ssr
(npm)
Mar 19, 2026
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
High
CVE-2026-32763
was published
for
kysely
(npm)
Mar 18, 2026
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
Moderate
CVE-2026-32040
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
Moderate
CVE-2026-32039
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has a sandbox network isolation bypass via docker.network=container:<id>
Moderate
CVE-2026-32038
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
High
CVE-2026-32037
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
High
CVE-2026-32036
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels
Moderate
CVE-2026-32035
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
Moderate
CVE-2026-32034
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
Moderate
CVE-2026-32033
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
Moderate
CVE-2026-32032
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch
Moderate
CVE-2026-32031
was published
for
openclaw
(npm)
Mar 12, 2026
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
High
CVE-2026-32030
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
Moderate
CVE-2026-32029
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Moderate
CVE-2026-32028
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw DM pairing-store identities could satisfy group allowlist authorization
Moderate
CVE-2026-32027
was published
for
openclaw
(npm)
Mar 3, 2026
Temporary path handling could write outside OpenClaw temp boundary
Moderate
CVE-2026-32026
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
Moderate
CVE-2026-32025
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's avatar symlink traversal can expose out-of-workspace local files
Moderate
CVE-2026-32024
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
Moderate
CVE-2026-32023
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
Moderate
CVE-2026-32022
was published
for
openclaw
(npm)
Mar 3, 2026
ProTip!
Advisories are also available from the
GraphQL API