Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,272
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,521
Pub
12
RubyGems
1,007
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,583 advisories

Loading
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions Moderate
CVE-2026-32029 was published for openclaw (npm) Mar 3, 2026
AnthonyDiSanti Credited to AnthonyDiSanti and vincentkoc vincentkoc vincentkoc
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt High
GHSA-7ff8-xjh3-mgh6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class) High
GHSA-xgf2-vxv2-rrmg was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's runtime /debug override path accepted prototype-reserved keys Low
CVE-2026-27524 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths Moderate
CVE-2026-32033 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands High
GHSA-w9cg-v44m-4qv8 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering Moderate
GHSA-r294-2894-92j3 was published for openclaw (npm) Mar 3, 2026
allsmog Credited to allsmog
OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot High
GHSA-xmv6-r34m-62p4 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks High
CVE-2026-32015 was published for openclaw (npm) Mar 3, 2026
jackhax Credited to jackhax
OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux) High
CVE-2026-32063 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Low
GHSA-vvgp-4c28-m3jm was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw Loopback CDP probe can leak Gateway token to local listener Moderate
CVE-2026-22174 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation High
CVE-2026-22176 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a Discord `allowFrom` slug-collision authorization bypass Moderate
GHSA-4cqv-h74h-93j4 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access Moderate
CVE-2026-32034 was published for openclaw (npm) Mar 3, 2026
Vasco0x4 Credited to Vasco0x4
OpenClaw has a IPv6 multicast SSRF classifier bypass Moderate
GHSA-h97f-6pqj-q452 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write Moderate
CVE-2026-32017 was published for openclaw (npm) Mar 3, 2026
FailButWin Credited to FailButWin and Redgrave961 Redgrave961 Redgrave961
OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint Moderate
GHSA-pfv7-rr5m-qmv6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode High
CVE-2026-32059 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a Feishu allowFrom authorization bypass via display-name collision Moderate
CVE-2026-32021 was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution High
CVE-2026-22179 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths Moderate
GHSA-5h2c-8v84-qpvr was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw plugin runtime command execution is part of trusted plugin boundary Moderate
GHSA-ff98-w8hj-qrxf was published for openclaw (npm) Mar 3, 2026
markmusson Credited to markmusson
OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth Moderate
GHSA-553v-f69r-656j was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files Moderate
CVE-2026-32008 was published for openclaw (npm) Mar 3, 2026
q1uf3ng Credited to q1uf3ng
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database