Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,521
Pub
12
RubyGems
1,007
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,583 advisories

Loading
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() Moderate
CVE-2026-29086 was published for hono (npm) Mar 4, 2026
TarPeg007 Credited to TarPeg007
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() Moderate
CVE-2026-29085 was published for hono (npm) Mar 4, 2026
TarPeg007 Credited to TarPeg007
Hono vulnerable to arbitrary file access via serveStatic vulnerability High
CVE-2026-29045 was published for hono (npm) Mar 4, 2026
techfish-11 Credited to techfish-11 and EdamAme-x EdamAme-x EdamAme-x
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty Moderate
CVE-2026-22170 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection Moderate
GHSA-jjgj-cpp9-cvpv was published for openclaw (npm) Mar 4, 2026
NucleiAv Credited to NucleiAv
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations High
GHSA-3jx4-q2m7-r496 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw Canvas Authentication Bypass Vulnerability High
GHSA-vvjh-f6p9-5vcf was published for openclaw (npm) Mar 4, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images Moderate
CVE-2026-32002 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard Moderate
CVE-2026-32019 was published for openclaw (npm) Mar 4, 2026
princeeismond-dot Credited to princeeismond-dot
OpenClaw has agent avatar symlink traversal in gateway session metadata Moderate
GHSA-9mph-4f7v-fmvh was published for openclaw (npm) Mar 4, 2026
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization Moderate
GHSA-f6h3-846h-2r8w was published for openclaw (npm) Mar 4, 2026
jiseoung Credited to jiseoung
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
GHSA-vjp8-wprm-2jw9 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP Moderate
GHSA-8cp7-rp8r-mg77 was published for openclaw (npm) Mar 4, 2026
zpbrent Credited to zpbrent
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows High
CVE-2026-32005 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
CKEditor 5 has Cross-site Scripting (XSS) in the HTML Support package Moderate
CVE-2026-28343 was published for @ckeditor/ckeditor5-html-support (npm) Mar 4, 2026
mhassan1 Credited to mhassan1
Traefik: tcp router clears read deadlines before tls forwarding, enabling stalled handshakes (Slowloris DOS) High
CVE-2026-26999 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
1seal Credited to 1seal
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS Moderate
CVE-2026-26998 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
sm1ee Credited to sm1ee
Dark Reader gives users the ability to request style sheets from local web servers Low
CVE-2025-68467 was published for darkreader (npm) Mar 4, 2026
XWiki Blog Application home page vulnerable to Stored XSS via Post Title High
CVE-2025-66024 was published for org.xwiki.contrib.blog:application-blog-ui (Maven) Mar 4, 2026
lukasz-rybak Credited to lukasz-rybak
Apache ActiveMQ is Vulnerable to Integer Overflow or Wraparound Moderate
CVE-2025-66168 was published for org.apache.activemq:activemq-all (Maven) Mar 4, 2026
Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions Critical
CVE-2026-27446 was published for org.apache.activemq:artemis-server (Maven) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3242 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3241 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3244 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3240 was published for concrete5/concrete5 (Composer) Mar 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database