Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,089 advisories

Loading
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
ip-address has XSS in Address6 HTML-emitting methods Moderate
CVE-2026-42338 was published for ip-address (npm) May 5, 2026
scovetta Credited to scovetta
@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS Moderate
GHSA-7xp7-m392-h92c was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload Moderate
GHSA-q8ff-7ffm-m3r9 was published for openclaw (npm) May 5, 2026
feynman-hou Credited to feynman-hou
@workos/authkit-session has an Open Redirect via state-derived redirect target Moderate
CVE-2026-42565 was published for @workos/authkit-session (npm) May 5, 2026
kenkunz Credited to kenkunz
Duplicate Advisory: OpenClaw: Webchat media embedding enforces local-root containment for tool-result files Moderate
GHSA-qc5j-2mqx-x83q was published for openclaw (npm) Apr 20, 2026 withdrawn
LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution Moderate
CVE-2026-42045 was published for @lobehub/lobehub (npm) May 5, 2026
Hpd0ger Credited to Hpd0ger and aftern00n aftern00n aftern00n
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided Moderate
CVE-2026-41907 was published for uuid (npm) Apr 22, 2026
0xStraw-Hat Credited to 0xStraw-Hat, frattaro, julianladisch, uniabis, c-harding, milenkotomic, and jwasnoggin frattaro frattaro
julianladisch julianladisch uniabis uniabis c-harding c-harding milenkotomic milenkotomic jwasnoggin jwasnoggin
OpenClaw: Empty approver lists could grant explicit approval authorization Moderate
CVE-2026-43574 was published for openclaw (npm) Apr 17, 2026
anshumanbh Credited to anshumanbh
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement Moderate
CVE-2026-43573 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands Moderate
CVE-2026-43568 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard Moderate
CVE-2026-43567 was published for openclaw (npm) Apr 17, 2026
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
CVE-2026-43566 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context Moderate
CVE-2026-43535 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input Moderate
CVE-2026-43534 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Discord event cover images bypassed sandbox media normalization Moderate
CVE-2026-43532 was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables Moderate
CVE-2026-43531 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Browser SSRF policy default allowed private-network navigation Moderate
CVE-2026-43527 was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes Moderate
CVE-2026-43526 was published for openclaw (npm) Apr 17, 2026
threalwinky Credited to threalwinky
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy Moderate
CVE-2026-42439 was published for openclaw (npm) Apr 17, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure Moderate
CVE-2026-42438 was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation Moderate
CVE-2026-42436 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms Moderate
CVE-2026-42435 was published for openclaw (npm) Apr 17, 2026
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream Moderate
CVE-2026-42037 was published for axios (npm) May 5, 2026
kobi-s Credited to kobi-s
Axios: no_proxy bypass via IP alias allows SSRF Moderate
CVE-2026-42038 was published for axios (npm) May 5, 2026
srisowmya2000 Credited to srisowmya2000
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database