Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,439
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,695
Pub
13
RubyGems
1,031
Rust
1,222
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,660 advisories

Loading
mingSoft MCMS does not properly restrict file uploads Low
CVE-2026-2666 was published for net.mingsoft:ms-mcms (Maven) Feb 18, 2026
OpenStack Nova calls qemu-img without format restrictions for resize High
CVE-2026-24708 was published for Nova (pip) Feb 18, 2026
NLTK has a Zip Slip Vulnerability Critical
CVE-2025-14009 was published for nltk (pip) Feb 18, 2026
leegks Credited to leegks and adamlaurencik adamlaurencik adamlaurencik
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
GHSA-97f8-7cmv-76j2 was published for picklescan (pip) Feb 18, 2026
zpbrent Credited to zpbrent
OpenClaw has an authentication bypass in sandbox browser bridge server High
CVE-2026-28468 was published for openclaw (npm) Feb 18, 2026
jackhax Credited to jackhax
OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension High
CVE-2026-28451 was published for openclaw (npm) Feb 18, 2026
zpbrent Credited to zpbrent
OpenClaw has a LFI in BlueBubbles media path handling High
CVE-2026-29611 was published for openclaw (npm) Feb 18, 2026
zpbrent Credited to zpbrent
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup Moderate
CVE-2026-27486 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution Moderate
CVE-2026-28477 was published for openclaw (npm) Feb 18, 2026
OpenClaw: Prevent shell injection in macOS keychain credential write High
CVE-2026-27487 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes High
CVE-2026-28462 was published for openclaw (npm) Feb 18, 2026
jackhax Credited to jackhax
OpenClaw has a Path Traversal in Browser Download Functionality Moderate
CVE-2026-26972 was published for openclaw (npm) Feb 18, 2026
locus-x64 Credited to locus-x64
Jenkins has a stored XSS vulnerability in node offline cause description High
CVE-2026-27099 was published for org.jenkins-ci.main:jenkins-core (Maven) Feb 18, 2026
Bruceliu-rs Credited to Bruceliu-rs
Jenkins has a build information disclosure vulnerability through Run Parameter Moderate
CVE-2026-27100 was published for org.jenkins-ci.main:jenkins-core (Maven) Feb 18, 2026
Bruceliu-rs Credited to Bruceliu-rs
NVIDIA NeMo Framework Deserializes Untrusted Data High
CVE-2025-33253 was published for nemo-toolkit (pip) Feb 18, 2026
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution High
CVE-2025-33245 was published for nemo-toolkit (pip) Feb 18, 2026
opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in input.parsed_path High
CVE-2026-26205 was published for github.com/open-policy-agent/opa-envoy-plugin (Go) Feb 18, 2026
thevilledev Credited to thevilledev
Trivy Action has a script injection via sourced env file in composite action Moderate
CVE-2026-26189 was published for aquasecurity/trivy-action (GitHub Actions) Feb 18, 2026
1seal Credited to 1seal, DmitriyLewen, and simar7 DmitriyLewen DmitriyLewen
simar7 simar7
OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway High
CVE-2026-28456 was published for openclaw (npm) Feb 18, 2026
222n5 Credited to 222n5
OpenClaw's unsanitized session ID enables path traversal in transcript file operations High
CVE-2026-28482 was published for openclaw (npm) Feb 18, 2026
akhmittra Credited to akhmittra
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction High
CVE-2026-26960 was published for tar (npm) Feb 18, 2026
scumfrog Credited to scumfrog
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker Credited to anbecker
Libredesk has a SSRF Vulnerability in Webhooks Moderate
CVE-2026-26957 was published for github.com/abhinavxd/libredesk (Go) Feb 18, 2026
PlayerIUnknown Credited to PlayerIUnknown
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides) High
CVE-2026-29610 was published for openclaw (npm) Feb 18, 2026
akhmittra Credited to akhmittra
OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication Moderate
CVE-2026-28476 was published for openclaw (npm) Feb 18, 2026
p80n-sec Credited to p80n-sec
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database