Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,412
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,649
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,430 advisories

Loading
OpenClaw has web_search citation redirect SSRF via private-network-allowing policy High
CVE-2026-31989 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools High
GHSA-jr6x-2q95-fh2g was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root High
GHSA-7xmq-g46g-f8pv was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries High
GHSA-x82f-27x3-q89c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths Critical
CVE-2026-31999 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has an unauthorized sender bypass in its stop triggers and /models command authorization Moderate
GHSA-8m9v-xpgf-g99m was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns Moderate
CVE-2026-32048 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS) Moderate
CVE-2026-32066 was published for openclaw (npm) Mar 2, 2026
Somet2mes Credited to Somet2mes and migraine-sudo migraine-sudo migraine-sudo
OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists Moderate
GHSA-392f-ggf5-fp3c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure High
CVE-2026-32041 was published for openclaw (npm) Mar 2, 2026
OpenChatBI has a Path Traversal Vulnerability in save_report Tool High
CVE-2026-28795 was published for openchatbi (pip) Mar 2, 2026
`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization Critical
CVE-2026-28794 was published for @orpc/client (npm) Mar 2, 2026
mnixry Credited to mnixry
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling High
CVE-2026-28789 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization Critical
CVE-2026-27971 was published for @builder.io/qwik (npm) Mar 2, 2026
sebastianosrt Credited to sebastianosrt
OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay High
CVE-2026-28787 was published for @oneuptime/common (npm) Mar 2, 2026
dorakemon Credited to dorakemon
MS-Agent vulnerable to Command Injection Moderate
CVE-2026-2256 was published for ms-agent (pip) Mar 2, 2026
Idno Vulnerable to Remote Code Execution via Chained Import File Write and Template Path Traversal High
CVE-2026-28507 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint Critical
CVE-2026-28508 was published for idno/known (Composer) Mar 2, 2026
anuraagbaishya Credited to anuraagbaishya
AVideo has Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction Critical
CVE-2026-28502 was published for wwbn/avideo (Composer) Mar 2, 2026
arkmarta Credited to arkmarta
AVideo has Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php Critical
CVE-2026-28501 was published for wwbn/avideo (Composer) Mar 2, 2026
arkmarta Credited to arkmarta
CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements High
CVE-2026-28438 was published for cocoindex (pip) Mar 2, 2026
4ur0n Credited to 4ur0n
FileBrowser has Path Traversal in Public Share Links that Exposes Files Outside Shared Directory High
CVE-2026-28492 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 2, 2026
uug4na Credited to uug4na and hacdias hacdias hacdias
Products.isurlinportal has possible open redirect when using more than 2 forward slashes Moderate
CVE-2026-28413 was published for Products.isurlinportal (pip) Mar 2, 2026
ale-rt Credited to ale-rt
NocoDB Missing Ownership Validation in MCP Token Operations Moderate
CVE-2026-28361 was published for nocodb (npm) Mar 2, 2026
bugbunny-research Credited to bugbunny-research
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database