Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,945 advisories

Loading
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution High
CVE-2025-33245 was published for nemo-toolkit (pip) Feb 18, 2026
opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path High
CVE-2026-26205 was published for github.com/open-policy-agent/opa-envoy-plugin (Go) Feb 18, 2026
thevilledev Credited to thevilledev
Trivy Action has a script injection via sourced env file in composite action Moderate
CVE-2026-26189 was published for aquasecurity/trivy-action (GitHub Actions) Feb 18, 2026
1seal Credited to 1seal, DmitriyLewen, and simar7 DmitriyLewen DmitriyLewen
simar7 simar7
OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway High
CVE-2026-28456 was published for openclaw (npm) Feb 18, 2026
222n5 Credited to 222n5
OpenClaw's unsanitized session ID enables path traversal in transcript file operations High
CVE-2026-28482 was published for openclaw (npm) Feb 18, 2026
akhmittra Credited to akhmittra
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction High
CVE-2026-26960 was published for tar (npm) Feb 18, 2026
scumfrog Credited to scumfrog
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker Credited to anbecker
Libredesk has a SSRF Vulnerability in Webhooks Moderate
CVE-2026-26957 was published for github.com/abhinavxd/libredesk (Go) Feb 18, 2026
PlayerIUnknown Credited to PlayerIUnknown
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides) High
CVE-2026-29610 was published for openclaw (npm) Feb 18, 2026
akhmittra Credited to akhmittra
OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication Moderate
CVE-2026-28476 was published for openclaw (npm) Feb 18, 2026
p80n-sec Credited to p80n-sec
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled Moderate
CVE-2026-29606 was published for openclaw (npm) Feb 18, 2026
p80n-sec Credited to p80n-sec
OpenClaw Telegram allowlist authorization accepted mutable usernames Moderate
CVE-2026-28480 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting High
CVE-2026-28469 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw affected by denial of service via unbounded webhook request body buffering High
CVE-2026-28478 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) Moderate
CVE-2026-28452 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks Moderate
CVE-2026-29612 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw affected by denial of service via unbounded URL-backed media fetch High
CVE-2026-29609 was published for openclaw (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands High
CVE-2026-28392 was published for openclaw (npm) Feb 18, 2026
christos-eth Credited to christos-eth
OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion High
CVE-2026-28463 was published for openclaw (npm) Feb 18, 2026
christos-eth Credited to christos-eth
OpenClaw has a command injection in maintainer clawtributors updater High
CVE-2026-26323 was published for openclaw (npm) Feb 18, 2026
scanleale Credited to scanleale and MegaManSec MegaManSec MegaManSec
OpenClaw has a path traversal in browser upload allows local file read High
CVE-2026-26329 was published for openclaw (npm) Feb 18, 2026
p80n-sec Credited to p80n-sec
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities Moderate
CVE-2026-26328 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch Low
GHSA-chm2-m3w2-wcxm was published for clawdbot (npm) Feb 17, 2026
vincentkoc Credited to vincentkoc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database