Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

9,912 advisories

Loading
OpenClaw gateway exec allow-always over-trusts positional carrier executables High
GHSA-p4x4-2r7f-wjxg was published for openclaw (npm) Apr 1, 2026
nexrin Credited to nexrin
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) High
CVE-2026-34605 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
fg0x0 Credited to fg0x0
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions High
CVE-2026-34604 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions High
CVE-2026-34603 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion High
CVE-2026-34601 was published for @xmldom/xmldom (npm) Apr 1, 2026
thesmartshadow Credited to thesmartshadow
Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash High
CVE-2026-34593 was published for ash (Erlang) Apr 1, 2026
fg0x0 Credited to fg0x0 and zachdaniel zachdaniel zachdaniel
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter" High
CVE-2026-34598 was published for yeswiki/yeswiki (Composer) Apr 1, 2026
kh0kamoni Credited to kh0kamoni
`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state High
CVE-2026-32918 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
CVE-2026-32980 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
Duplicate Advisory: OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
GHSA-c447-w54g-f55j was published for openclaw (npm) Mar 29, 2026 withdrawn
SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution High
CVE-2026-34585 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
ngocnn97 Credited to ngocnn97
TorchGeo Remote Code Execution Vulnerability High
CVE-2024-49048 was published for torchgeo (pip) Apr 1, 2026
zpbrent Credited to zpbrent, calebrob6, and adamjstewart calebrob6 calebrob6
adamjstewart adamjstewart
Duplicate Advisory: TorchGeo Remote Code Execution Vulnerability High
GHSA-g5vp-j278-8pjh was published for torchgeo (pip) Nov 12, 2024 withdrawn
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset` High
GHSA-5r8f-96gm-5j6g was published for openclaw (npm) Apr 1, 2026
zpbrent Credited to zpbrent
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper High
GHSA-6pfc-6m7w-m8fx was published for openclaw (npm) Mar 31, 2026
LonggTeng Credited to LonggTeng
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing High
GHSA-6xg4-82hv-cp6f was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` High
GHSA-5h2w-qmfp-ggp6 was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure High
GHSA-jccr-rrw2-vc8h was published for openclaw (npm) Mar 31, 2026
nicky-cc Credited to nicky-cc
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation High
CVE-2026-33581 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation High
GHSA-3gr8-2752-h46q was published for openclaw (npm) Mar 31, 2026 withdrawn
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals High
GHSA-98hh-7ghg-x6rq was published for openclaw (npm) Mar 31, 2026
tdjackey Credited to tdjackey
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions High
CVE-2026-34503 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions High
GHSA-89hr-6x2p-8xjv was published for openclaw (npm) Mar 31, 2026 withdrawn
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials High
GHSA-3cw3-5vxw-g2h3 was published for openclaw (npm) Mar 31, 2026
nexrin Credited to nexrin
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation High
GHSA-hc5h-pmr3-3497 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database