Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,557 advisories

Loading
OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent` Moderate
GHSA-jf6w-m8jw-jfxc was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity High
GHSA-qc36-x95h-7j53 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions Moderate
GHSA-8jhh-jcqg-mj5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv High
GHSA-rw39-5899-8mxp was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
GHSA-xf99-j42q-5w5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries High
GHSA-4w7m-58cg-cmff was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE Critical
GHSA-4jpw-hj22-2xmc was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
GHSA-xw77-45gv-p728 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox `writeFile` commit could race outside the validated path Moderate
GHSA-xvx8-77m6-gwg6 was published for openclaw (npm) Mar 13, 2026
qi-scape Credited to qi-scape
flatted vulnerable to unbounded recursion DoS in parse() revive phase High
CVE-2026-32141 was published for flatted (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Poseidon V1 variable-length input collision via implicit zero-padding High
CVE-2026-32129 was published for soroban-poseidon (Rust) Mar 13, 2026
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite High
CVE-2026-32116 was published for magic-wormhole (pip) Mar 13, 2026
ikmckenz Credited to ikmckenz
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution Critical
CVE-2026-31886 was published for github.com/dagu-org/dagu (Go) Mar 13, 2026
NucleiAv Credited to NucleiAv
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
SandboxJS affected by a Sandbox Escape Critical
CVE-2026-26954 was published for @nyariv/sandboxjs (npm) Mar 13, 2026
c0rydoras Credited to c0rydoras
Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings Moderate
CVE-2026-32320 was published for github.com/ellanetworks/core (Go) Mar 12, 2026
p1-aji Credited to p1-aji and p1-kgy p1-kgy p1-kgy
Ella Core vulnerable to Unauthenticated AMF DoS via malformed InitialUEMessage with undersized integrity-protected NAS payload High
CVE-2026-32319 was published for github.com/ellanetworks/core (Go) Mar 12, 2026
p1-aji Credited to p1-aji and p1-kgy p1-kgy p1-kgy
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode High
CVE-2026-32302 was published for openclaw (npm) Mar 12, 2026
yianworks Credited to yianworks
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction Moderate
CVE-2026-29066 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete High
CVE-2026-28793 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS Critical
CVE-2026-28792 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
ImageMagick: Specially crafted SVG leads to segmentation fault and generate trash files in "/tmp", possible to leverage DoS Moderate
CVE-2023-1289 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 12, 2026
Im10n Credited to Im10n
Black: Arbitrary file writes from unsanitized user input in cache file name High
CVE-2026-32274 was published for black (pip) Mar 12, 2026
fg0x0 Credited to fg0x0
Hyperterse: Raw exposure of database statements in MCP search tool Moderate
CVE-2026-31841 was published for hyperterse (npm) Mar 12, 2026
Tina: Path Traversal in Media Upload Handle High
CVE-2026-28791 was published for tinacms (npm) Mar 12, 2026
yueyueL Credited to yueyueL
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database