Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

326 advisories

Loading
OpenClaw affected by SSRF via unguarded image download in fal provider Low
GHSA-qxgf-hmcj-3xw3 was published for openclaw (npm) Apr 1, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw SSRF guard misses four IPv6 special-use ranges Low
GHSA-g86v-f9qv-rh6m was published for openclaw (npm) Mar 31, 2026
nicky-cc Credited to nicky-cc
Parse Server has an MFA single-use token bypass via concurrent authData login requests Low
CVE-2026-34224 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations Low
CVE-2026-4603 was published for jsrsasign (npm) Mar 23, 2026
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
CVE-2026-32067 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows Low
CVE-2026-32058 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating Low
CVE-2026-27183 was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation Low
CVE-2026-32040 was published for openclaw (npm) Mar 3, 2026
allsmog Credited to allsmog
Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController) Low
GHSA-53p3-c7vp-4mcc was published for action_text-trix (RubyGems) Mar 29, 2026
Handlebars.js has a Property Access Validation Bypass in container.lookup Low
GHSA-442j-39wm-28r2 was published for handlebars (npm) Mar 29, 2026
TinkAnet Credited to TinkAnet
Parse Server: MFA recovery code single-use bypass via concurrent requests Low
CVE-2026-33624 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza and spbavarva spbavarva spbavarva
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes Low
CVE-2026-33490 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter Low
GHSA-c7w3-x93f-qmm8 was published for nodemailer (npm) Mar 26, 2026
esquilichi Credited to esquilichi
OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation Low
GHSA-pw7h-9g6p-c378 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
Astro: Remote allowlist bypass via unanchored matchPathname wildcard Low
CVE-2026-33769 was published for astro (npm) Mar 26, 2026
christos-eth Credited to christos-eth
Next.js: null origin can bypass dev HMR websocket CSRF checks Low
CVE-2026-27977 was published for next (npm) Mar 17, 2026
radu33 Credited to radu33 and xdavidhu xdavidhu xdavidhu
@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling Low
GHSA-8g29-8xwr-qmhr was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/server has a Missing Secure Flag on Session Cookie Low
GHSA-5j35-xr4g-vwf4 was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template Low
GHSA-7q9x-8g6p-3x75 was published for @grackle-ai/server (npm) Mar 25, 2026
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows Low
GHSA-cjq8-m7wj-xmq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
CVE-2026-32897 was published for openclaw (npm) Mar 3, 2026
Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
GHSA-8mr2-f9wf-hcfq was published for openclaw (npm) Mar 21, 2026 withdrawn
Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin Low
GHSA-68c2-4mpx-qh95 was published for @sentry/react-native (npm) Mar 1, 2024
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage Low
CVE-2026-31991 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database