GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
28,576 advisories
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
High
GHSA-9f72-qcpw-2hxc
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
Moderate
CVE-2026-22169
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
High
CVE-2026-32036
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
Moderate
CVE-2026-32045
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
Moderate
CVE-2026-22171
was published
for
openclaw
(npm)
Mar 3, 2026
DOMPurify contains a Cross-site Scripting vulnerability
Moderate
CVE-2026-0540
was published
for
dompurify
(npm)
Mar 3, 2026
OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
Low
CVE-2026-32040
was published
for
openclaw
(npm)
Mar 3, 2026
Temporary path handling could write outside OpenClaw temp boundary
Moderate
CVE-2026-32026
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
Moderate
CVE-2026-32046
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
High
CVE-2026-32037
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
High
CVE-2026-28393
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has command injection via Windows shell fallback in Lobster tool execution
High
CVE-2026-32000
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
High
GHSA-qj22-xqjr-v83v
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has allowlist exec-guard bypass via env -S
Moderate
CVE-2026-31992
was published
for
openclaw
(npm)
Mar 3, 2026
Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface
Moderate
CVE-2026-28223
was published
for
wagtail
(pip)
Mar 3, 2026
Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes
Moderate
CVE-2026-28222
was published
for
wagtail
(pip)
Mar 3, 2026
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
High
CVE-2026-27905
was published
for
bentoml
(pip)
Mar 3, 2026
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
High
CVE-2026-27601
was published
for
underscore
(npm)
Mar 3, 2026
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
Critical
CVE-2026-27012
was published
for
devcode-it/openstamanager
(Composer)
Mar 3, 2026
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Critical
CVE-2026-26279
was published
for
froxlor/froxlor
(Composer)
Mar 3, 2026
OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter
Moderate
CVE-2026-24415
was published
for
devcode-it/openstamanager
(Composer)
Mar 3, 2026
ProTip!
Advisories are also available from the
GraphQL API