Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,058
Maven
5,000+
npm
4,845
NuGet
825
pip
4,397
Pub
12
RubyGems
988
Rust
1,147
Swift
50
Unreviewed advisories
All unreviewed
5,000+

9,270 advisories

Loading
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy High
GHSA-r65x-2hqr-j5hf was published for openclaw (npm) Mar 3, 2026
76embiid21 Credited to 76embiid21
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind High
GHSA-f7ww-2725-qvw2 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset High
GHSA-fqcm-97m6-w7rm was published for openclaw (npm) Mar 2, 2026
GCXWLP Credited to GCXWLP
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed High
GHSA-hwpq-rrpf-pgcq was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Gateway /tools/invoke tool escalation + ACP permission auto-approval High
GHSA-943q-mwmv-hhvh was published for openclaw (npm) Mar 2, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace High
GHSA-xw4p-pw82-hqr7 was published for openclaw (npm) Mar 2, 2026
1seal Credited to 1seal
OpenClaw has Zip Slip path traversal in tar archive extraction High
GHSA-p25h-9q54-ffvw was published for openclaw (npm) Mar 2, 2026
xuemian168 Credited to xuemian168 and ShangzhiXu ShangzhiXu ShangzhiXu
OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure High
GHSA-mfg5-7q5g-f37j was published for @openclaw/voice-call (npm) Mar 2, 2026
jiseoung Credited to jiseoung
OpenClaw Canvas Path Traversal Information Disclosure Vulnerability High
GHSA-jq4x-98m3-ggq6 was published for openclaw (npm) Mar 2, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments High
GHSA-5v6x-rfc3-7qfr was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
@keep-network/tbtc-v2 revealing P2PKH deposit with a wrapped P2SH script High
GHSA-8986-v76q-8vr2 was published for @keep-network/tbtc-v2 (npm) Mar 2, 2026
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind High
GHSA-q399-23r3-hfx4 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has web_search citation redirect SSRF via private-network-allowing policy High
GHSA-g99v-8hwm-g76g was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools High
GHSA-jr6x-2q95-fh2g was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root High
GHSA-7xmq-g46g-f8pv was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries High
GHSA-x82f-27x3-q89c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenChatBI has a Path Traversal Vulnerability in save_report Tool High
GHSA-vmwq-8g8c-jm79 was published for openchatbi (pip) Mar 2, 2026
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
GHSA-4fqm-6fmh-82mq was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling High
GHSA-45m3-398w-m2m9 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay High
GHSA-gjjc-pcwp-c74m was published for @oneuptime/common (npm) Mar 2, 2026
dorakemon Credited to dorakemon
Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal High
GHSA-37j7-56xc-c468 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements High
CVE-2026-28438 was published for cocoindex (pip) Mar 2, 2026
4ur0n Credited to 4ur0n
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory High
CVE-2026-28492 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 2, 2026
uug4na Credited to uug4na and hacdias hacdias hacdias
OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint High
CVE-2026-28342 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
fg0x0 Credited to fg0x0
joserfc's PBES2 p2c Unbounded Iteration Count enables Denial of Service (DoS) High
CVE-2026-27932 was published for joserfc (pip) Mar 2, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database