Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,521
Pub
12
RubyGems
1,007
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,584 advisories

Loading
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage Low
CVE-2026-31991 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
@keep-network/tbtc-v2 revealing P2PKH deposit with a wrapped P2SH script High
GHSA-8986-v76q-8vr2 was published for @keep-network/tbtc-v2 (npm) Mar 2, 2026
`melange update-cache` has unbounded HTTP download that can exhaust disk in CI Moderate
CVE-2026-29049 was published for chainguard.dev/melange (Go) Mar 2, 2026
1seal Credited to 1seal, antitree, and 89luca89 antitree antitree
89luca89 89luca89
pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams Moderate
CVE-2026-28804 was published for pypdf (pip) Mar 2, 2026
kule500 Credited to kule500 and stefan6419846 stefan6419846 stefan6419846
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind High
CVE-2026-31997 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has web_search citation redirect SSRF via private-network-allowing policy High
CVE-2026-31989 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools High
GHSA-jr6x-2q95-fh2g was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root High
GHSA-7xmq-g46g-f8pv was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries High
GHSA-x82f-27x3-q89c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths Critical
CVE-2026-31999 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has an unauthorized sender bypass in its stop triggers and /models command authorization Moderate
GHSA-8m9v-xpgf-g99m was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns Moderate
GHSA-p7gr-f84w-hqg5 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS) Moderate
CVE-2026-32066 was published for openclaw (npm) Mar 2, 2026
Somet2mes Credited to Somet2mes and migraine-sudo migraine-sudo migraine-sudo
OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists Moderate
GHSA-392f-ggf5-fp3c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure Moderate
CVE-2026-32041 was published for openclaw (npm) Mar 2, 2026
OpenChatBI has a Path Traversal Vulnerability in save_report Tool High
CVE-2026-28795 was published for openchatbi (pip) Mar 2, 2026
`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization Critical
CVE-2026-28794 was published for @orpc/client (npm) Mar 2, 2026
mnixry Credited to mnixry
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling High
CVE-2026-28789 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization Critical
CVE-2026-27971 was published for @builder.io/qwik (npm) Mar 2, 2026
sebastianosrt Credited to sebastianosrt
OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay High
CVE-2026-28787 was published for @oneuptime/common (npm) Mar 2, 2026
dorakemon Credited to dorakemon
MS-Agent vulnerable to Command Injection Moderate
CVE-2026-2256 was published for ms-agent (pip) Mar 2, 2026
Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal High
CVE-2026-28507 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint Critical
CVE-2026-28508 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction Critical
CVE-2026-28502 was published for wwbn/avideo (Composer) Mar 2, 2026
arkmarta Credited to arkmarta
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database