Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,795 advisories

Loading
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Moderate
GHSA-vcx4-4qxg-mfp4 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events Moderate
GHSA-mw7w-g3mg-xqm7 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers Moderate
GHSA-9wqx-g2cw-vc7r was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing Moderate
GHSA-xq8g-hgh6-87hv was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards Moderate
CVE-2026-4923 was published for path-to-regexp (npm) Mar 27, 2026
blakeembrey Credited to blakeembrey and UlisesGascon UlisesGascon UlisesGascon
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization Moderate
GHSA-h8r8-wccr-v5f2 was published for dompurify (npm) Mar 27, 2026
researchatfluidattacks Credited to researchatfluidattacks and caverav caverav caverav
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects Moderate
CVE-2026-34043 was published for serialize-javascript (npm) Mar 27, 2026
TomerAberbach Credited to TomerAberbach
n8n has XSS in its Credential Management Flow Moderate
GHSA-364x-8g5j-x2pr was published for n8n (npm) Mar 27, 2026
yohannslm Credited to yohannslm
n8n has XSS in Chat Trigger Node through Custom CSS Moderate
GHSA-3c7f-5hgj-h279 was published for n8n (npm) Mar 27, 2026
JorianWoltjer Credited to JorianWoltjer
n8n: Authenticated XSS and Open Redirect via Form Node Moderate
GHSA-w673-8fjw-457c was published for n8n (npm) Mar 27, 2026
tCu0n9 Credited to tCu0n9
n8n has a Stored XSS Vulnerability in its Form Trigger Moderate
GHSA-q4fm-pjq6-m63g was published for n8n (npm) Mar 27, 2026
tr4ce-ju Credited to tr4ce-ju
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521 Moderate
CVE-2026-33994 was published for locutus (npm) Mar 27, 2026
gtsp233 Credited to gtsp233
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize() Moderate
CVE-2026-33993 was published for locutus (npm) Mar 27, 2026
offset Credited to offset
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention Moderate
GHSA-9q82-xgwf-vj6h was published for @apollo/server (npm) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts Moderate
GHSA-cfp9-w5v9-3q4h was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision Moderate
GHSA-rqp8-q22p-5j9q was published for openclaw (npm) Mar 26, 2026
tdjackey Credited to tdjackey
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions Moderate
GHSA-x2cm-hg9c-mf5w was published for openclaw (npm) Mar 26, 2026
space08 Credited to space08
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection Moderate
GHSA-844j-xrrq-wgh4 was published for openclaw (npm) Mar 26, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Moderate
GHSA-xhq5-45pm-2gjr was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete Moderate
GHSA-vfg3-pqpq-93m4 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
GHSA-8883-9w57-vwv6 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status Moderate
GHSA-ppwq-6v66-5m6j was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw may have stale policy enforcement for queued node actions Moderate
GHSA-wj55-88gf-x564 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling Moderate
GHSA-rm59-992w-x2mv was published for openclaw (npm) Mar 26, 2026
SEORY0 Credited to SEORY0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database