Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,945 advisories

Loading
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide High
CVE-2026-26267 was published for soroban-sdk-macros (Rust) Feb 17, 2026
leighmcculloch Credited to leighmcculloch, mootz12, nan-zellic, and dmkozh mootz12 mootz12
nan-zellic nan-zellic dmkozh dmkozh
emp3r0r Affected by Concurrent Map Access DoS (panic/crash) High
CVE-2026-26201 was published for github.com/jm33-m0/emp3r0r/core (Go) Feb 17, 2026
xtle0o0 Credited to xtle0o0
Skill-scanner Unsecured Network Binding Vulnerability Moderate
CVE-2026-26057 was published for cisco-ai-skill-scanner (pip) Feb 17, 2026
RichardoC Credited to RichardoC and vineethsai7 vineethsai7 vineethsai7
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization Critical
CVE-2026-26016 was published for pterodactyl/panel (Composer) Feb 17, 2026
duddnr0615k Credited to duddnr0615k and DaneEveritt DaneEveritt DaneEveritt
Indico Affected by Cross-Site-Scripting via material uploads Moderate
CVE-2026-25739 was published for indico (pip) Feb 17, 2026
dreyercito Credited to dreyercito
Echo has a Windows path traversal via backslash in middleware.Static default filesystem Moderate
CVE-2026-25766 was published for github.com/labstack/echo/v5 (Go) Feb 17, 2026
shblue21 Credited to shblue21, aldas, and vishr aldas aldas
vishr vishr
Indico has Server-Side Request Forgery (SSRF) in multiple places Moderate
CVE-2026-25738 was published for indico (pip) Feb 17, 2026
rahulgovind Credited to rahulgovind, inkz, and yueyueL inkz inkz
yueyueL yueyueL
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href Moderate
CVE-2026-25500 was published for rack (RubyGems) Feb 17, 2026
thesmartshadow Credited to thesmartshadow, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
Unauthenticated File Upload in Gogs Moderate
CVE-2026-25242 was published for gogs.io/gogs (Go) Feb 17, 2026
Gogs has a Protected Branch Deletion Bypass in Web Interface High
CVE-2026-25232 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor Credited to spingARbor
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Moderate
CVE-2026-25229 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor Credited to spingARbor
Gogs Allows Cross-Repository Comment Deletion via DeleteComment Moderate
CVE-2026-25120 was published for gogs.io/gogs (Go) Feb 17, 2026
tenbbughunters Credited to tenbbughunters
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions Low
CVE-2026-24764 was published for openclaw (npm) Feb 17, 2026
KonstantinMirin Credited to KonstantinMirin
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change High
GHSA-hr7j-63v7-vj7g was published for github.com/pterodactyl/wings (Composer) Feb 17, 2026
KTOymep Credited to KTOymep
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust) High
CVE-2026-29613 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw affected by SSRF in Image Tool Remote Fetch High
GHSA-56f2-hvwg-5743 was published for openclaw (npm) Feb 17, 2026
p80n-sec Credited to p80n-sec
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback Moderate
CVE-2026-28395 was published for openclaw (npm) Feb 17, 2026
qi-scape Credited to qi-scape
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes High
CVE-2026-28470 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access High
CVE-2026-28458 was published for moltbot (npm) Feb 17, 2026
johnatzeropath Credited to johnatzeropath, LeftenantZero, and yueyueL LeftenantZero LeftenantZero
yueyueL yueyueL
OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating High
CVE-2026-28391 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw has an arbitrary transcript path file write via gateway sessionFile High
CVE-2026-28459 was published for openclaw (npm) Feb 17, 2026
tubadeligoz Credited to tubadeligoz
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing High
GHSA-hv93-r4j3-q65f was published for openclaw (npm) Feb 17, 2026
alpernae Credited to alpernae
Weblate has an argument injection in management console Moderate
CVE-2026-24126 was published for Weblate (pip) Feb 17, 2026
alexb616 Credited to alexb616 and nijel nijel nijel
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated Critical
CVE-2026-28472 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database