GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
46 advisories
PraisonAI Vulnerable to RCE via Automatic tools.py Import
High
CVE-2026-40287
was published
for
PraisonAI
(pip)
Apr 10, 2026
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
High
CVE-2026-40156
was published
for
praisonai
(pip)
Apr 10, 2026
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
High
CVE-2026-39883
was published
for
go.opentelemetry.io/otel/sdk
(Go)
Apr 8, 2026
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
High
CVE-2026-41384
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
Critical
CVE-2026-41294
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw has an Arbitrary Malicious Code Execution Vulnerability
High
CVE-2026-35641
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
High
CVE-2026-32015
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
High
CVE-2026-32009
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
High
CVE-2026-32032
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode
Moderate
GHSA-qhrr-grqp-6x2g
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
Moderate
CVE-2026-32016
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
High
CVE-2026-31997
was published
for
openclaw
(npm)
Mar 2, 2026
OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking
High
CVE-2026-24051
was published
for
go.opentelemetry.io/otel/sdk
(Go)
Feb 2, 2026
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal
High
CVE-2026-25992
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jan 28, 2026
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
Moderate
CVE-2026-23888
was published
for
pnpm
(npm)
Jan 26, 2026
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Moderate
CVE-2024-53866
was published
for
pnpm
(npm)
Dec 10, 2024
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)
High
CVE-2024-27303
was published
for
app-builder-lib
(npm)
Mar 4, 2024
ProTip!
Advisories are also available from the
GraphQL API