Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,945 advisories

Loading
OpenClaw skills.status could leak secrets to operator.read clients Moderate
CVE-2026-26326 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals High
CVE-2026-26325 was published for openclaw (npm) Feb 17, 2026
christos-eth Credited to christos-eth
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) High
CVE-2026-26324 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
OpenClaw Gateway tool allowed unrestricted gatewayUrl override High
CVE-2026-26322 was published for openclaw (npm) Feb 17, 2026
p80n-sec Credited to p80n-sec
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension High
CVE-2026-26321 was published for openclaw (npm) Feb 17, 2026
zpbrent Credited to zpbrent
OpenClaw macOS deep link confirmation truncation can conceal executed agent message High
CVE-2026-26320 was published for openclaw (npm) Feb 17, 2026
Cillian-Collins Credited to Cillian-Collins
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests High
CVE-2026-26319 was published for openclaw (npm) Feb 17, 2026
p80n-sec Credited to p80n-sec
OpenClaw has a Path Traversal in Plugin Installation High
CVE-2026-28447 was published for openclaw (npm) Feb 17, 2026
logicx24 Credited to logicx24
OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve High
CVE-2026-28473 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains Moderate
CVE-2026-28481 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline High
CVE-2026-28448 was published for openclaw (npm) Feb 17, 2026
MegaManSec Credited to MegaManSec
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching) Critical
CVE-2026-28446 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek, stanislavfortaisle, and MegaManSec stanislavfortaisle stanislavfortaisle
MegaManSec MegaManSec
Nextcloud Talk allowlist bypass via actor.name display name spoofing Critical
CVE-2026-28474 was published for @openclaw/nextcloud-talk (npm) Feb 17, 2026
MegaManSec Credited to MegaManSec
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
CVE-2026-28454 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching Moderate
CVE-2026-28471 was published for openclaw (npm) Feb 17, 2026
MegaManSec Credited to MegaManSec
OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust High
CVE-2026-26316 was published for @openclaw/bluebubbles (npm) Feb 17, 2026
MegaManSec Credited to MegaManSec
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers Low
GHSA-g27f-9qjv-22pm was published for openclaw (npm) Feb 17, 2026
pkerkhofs Credited to pkerkhofs
OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering Moderate
CVE-2026-28450 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Apache Tomcat has an Improper Input Validation vulnerability High
CVE-2026-24734 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
Apache Tomcat - Security constraint bypass with HTTP/0.9 Low
CVE-2026-24733 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
Apache Tomcat - Client certificate verification bypass Moderate
CVE-2025-66614 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Feb 17, 2026
Jenson3210 Credited to Jenson3210
OpenClaw affected by SSRF via attachment/media URL hydration Moderate
CVE-2026-28467 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) High
CVE-2026-26278 was published for fast-xml-parser (npm) Feb 17, 2026
ByamB4 Credited to ByamB4 and yuezk yuezk yuezk
Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass High
CVE-2026-26275 was published for httpsig-hyper (Rust) Feb 17, 2026
divi255 Credited to divi255
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database