GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,177 advisories
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
High
CVE-2026-27545
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw's runtime /debug override path accepted prototype-reserved keys
Low
CVE-2026-27524
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths
High
CVE-2026-27523
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
High
CVE-2026-27522
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
High
CVE-2026-22217
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
High
CVE-2026-22181
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
Moderate
CVE-2026-22180
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution
Moderate
CVE-2026-22179
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's config env vars allowed startup env injection into service runtime
High
CVE-2026-22177
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
Moderate
CVE-2026-22175
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw Loopback CDP probe can leak Gateway token to local listener
Moderate
CVE-2026-22174
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
Moderate
CVE-2026-22171
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty
Moderate
CVE-2026-22170
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
Moderate
CVE-2026-22169
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments
High
CVE-2026-22168
was published
for
openclaw
(npm)
Mar 2, 2026
music-metadata has an infinite loop vulnerability in ASF parser
High
CVE-2026-32256
was published
for
music-metadata
(npm)
Mar 17, 2026
Parse Server affected by empty authData bypassing credential requirement on signup
Moderate
CVE-2026-33042
was published
for
parse-server
(npm)
Mar 17, 2026
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
High
CVE-2026-33036
was published
for
fast-xml-parser
(npm)
Mar 17, 2026
Nest Fastify HEAD Request Middleware Bypass
High
CVE-2026-33011
was published
for
@nestjs/platform-fastify
(npm)
Mar 17, 2026
Parse Server LiveQuery subscription with invalid regular expression crashes server
Moderate
CVE-2026-32770
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server session creation endpoint allows overwriting server-generated session fields
Moderate
CVE-2026-32742
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Moderate
CVE-2026-32878
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
High
CVE-2026-32886
was published
for
parse-server
(npm)
Mar 17, 2026
Parse Server has a password reset token single-use bypass via concurrent requests
Low
GHSA-r3xq-68wh-gwvh
was published
for
parse-server
(npm)
Mar 17, 2026
ProTip!
Advisories are also available from the
GraphQL API