Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,972 advisories

Loading
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config Moderate
GHSA-mj59-h3q9-ghfh was published for openclaw (npm) Apr 25, 2026
garagon Credited to garagon
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
GHSA-57r2-h2wj-g887 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Workspace dotenv could override runtime-control environment variables Moderate
GHSA-hxvm-xjvf-93f3 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy Moderate
GHSA-72q8-jcmc-97wx was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization Low
CVE-2026-41908 was published for openclaw (npm) Apr 25, 2026
Kherrisan Credited to Kherrisan
OpenClaw: Hook mapping templates could bypass hook session-key opt-in Moderate
GHSA-2xcp-x87w-q377 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode Moderate
CVE-2026-42282 was published for n8n-mcp (npm) Apr 25, 2026
Mirr2 Credited to Mirr2
electurm has Command Injection via runLinux funtion Critical
CVE-2026-41501 was published for electerm (npm) Apr 24, 2026
FORIMOC Credited to FORIMOC
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) Moderate
GHSA-39h7-pwv7-rc3x was published for @excalidraw/excalidraw (npm) Apr 24, 2026
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution High
CVE-2026-40068 was published for @anthropic-ai/claude-code (npm) Apr 24, 2026
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover High
CVE-2026-42239 was published for @budibase/backend-core (npm) Apr 24, 2026
AyushParkara Credited to AyushParkara
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions Moderate
CVE-2026-42190 was published for rwsdk (npm) Apr 24, 2026
mthx Credited to mthx
liquidjs has a Denial of Service via circular block reference in layout High
CVE-2026-41311 was published for liquidjs (npm) Apr 24, 2026
1netvn Credited to 1netvn
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output Moderate
CVE-2026-41305 was published for postcss (npm) Apr 24, 2026
TharVid Credited to TharVid
Duplicate Advisory: OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup Moderate
GHSA-m563-373q-885c was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Moderate
GHSA-m958-864j-xq5w was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation Low
GHSA-wwc3-c577-533m was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
GHSA-7hrg-5w46-5r2x was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account Moderate
GHSA-mf69-r24q-ghhr was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Low
GHSA-qgp3-3rj7-qqq4 was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md High
GHSA-7vq9-42cc-33j4 was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting Moderate
GHSA-w9f5-8q83-qwpx was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Low
GHSA-pr66-whqj-rq5p was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code High
GHSA-jx3c-247h-cxwp was published for openclaw (npm) Apr 24, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database