Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,407 advisories

Loading
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption Moderate
GHSA-j26j-7qc4-3mrf was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows Moderate
GHSA-2hm8-rqrm-xfjq was published for openclaw (npm) Mar 3, 2026
Adam55A-code Credited to Adam55A-code
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL High
CVE-2026-22217 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
CVE-2026-32896 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation) Moderate
GHSA-2mc2-g238-722j was published for openclaw (npm) Mar 3, 2026
allsmog Credited to allsmog
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`) High
CVE-2026-32009 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS) Moderate
GHSA-77hf-7fqf-f227 was published for openclaw (npm) Mar 3, 2026
GCXWLP Credited to GCXWLP
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels Moderate
CVE-2026-32035 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandboxed sessions_spawn(runtime="acp") bypassed sandbox inheritance and allowed host ACP initialization High
GHSA-474h-prjg-mmw3 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
MCP NMAP Server has an Injection vulnerability Moderate
CVE-2026-3484 was published for mcp-nmap-server (npm) Mar 3, 2026
OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification High
CVE-2026-32004 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups Moderate
CVE-2026-32028 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind High
CVE-2026-28483 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows Moderate
CVE-2026-22180 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured Moderate
CVE-2026-22181 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
CVE-2026-29608 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots Moderate
GHSA-2858-xg23-26fp was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS Moderate
CVE-2026-32011 was published for openclaw (npm) Mar 3, 2026
GCXWLP Credited to GCXWLP
OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace High
CVE-2026-31990 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access Moderate
CVE-2026-29073 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 3, 2026
rezmoss Credited to rezmoss
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI Moderate
CVE-2026-28784 was published for craftcms/cms (Composer) Mar 3, 2026
RajChowdhury240 Credited to RajChowdhury240 and rlarabee rlarabee rlarabee
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action Moderate
CVE-2026-28782 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS has Twig Function Blocklist Bypass Moderate
CVE-2026-28783 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates Critical
CVE-2026-28697 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database