Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,905 advisories

Loading
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete Moderate
GHSA-vfg3-pqpq-93m4 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw's mutating internal ACP chat commands missed operator.admin scope enforcement High
GHSA-3w6x-gv34-mqpf was published for openclaw (npm) Mar 26, 2026
tdjackey Credited to tdjackey
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
GHSA-8883-9w57-vwv6 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status Moderate
GHSA-ppwq-6v66-5m6j was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw may have stale policy enforcement for queued node actions Moderate
GHSA-wj55-88gf-x564 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw has Inconsistent Host Exec Environment Override Sanitization High
GHSA-39pp-xp36-q6mg was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths High
GHSA-48vw-m3qc-wr99 was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling Moderate
GHSA-rm59-992w-x2mv was published for openclaw (npm) Mar 26, 2026
SEORY0 Credited to SEORY0
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution Moderate
GHSA-rvqr-hrcc-j9vv was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure High
GHSA-4qwc-c7g9-4xcw was published for openclaw (npm) Mar 26, 2026
Contrast BadAML injection allows arbitrary code execution High
GHSA-g9ww-x58f-9g6m was published for github.com/edgelesssys/contrast (Go) Mar 26, 2026
katexochen Credited to katexochen and sespiros sespiros sespiros
OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface High
GHSA-cxmw-p77q-wchg was published for openclaw (npm) Mar 26, 2026
cyjhhh Credited to cyjhhh
ImageMagick has an Out-of-bounds Write via InterpretImageFilename Moderate
CVE-2026-33536 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 26, 2026
fumfel Credited to fumfel
OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper High
GHSA-qm9x-v7cx-7rq4 was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement High
GHSA-65h8-27jh-q8wv was published for openclaw (npm) Mar 26, 2026
kuranikaran Credited to kuranikaran
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. High
GHSA-wv46-v6xc-2qhf was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation Moderate
GHSA-h3x4-hc5v-v2gm was published for openclaw (npm) Mar 26, 2026
RacerZ-fighting Credited to RacerZ-fighting and Fushuling Fushuling Fushuling
Statamic allows unauthorized content access through missing authorization in its revision controllers Moderate
CVE-2026-33887 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields Moderate
CVE-2026-33886 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential Moderate
CVE-2026-33885 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's live preview token bypasses content protection for unrelated entries Moderate
CVE-2026-33884 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's Markdown preview endpoint exposes sensitive user data Moderate
CVE-2026-33882 was published for statamic/cms (Composer) Mar 26, 2026
joshuaalwin Credited to joshuaalwin
OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers High
GHSA-wq58-2pvg-5h4f was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication Moderate
GHSA-6mqc-jqh6-x8fc was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database