Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,323
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,539
Pub
12
RubyGems
1,010
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,833 advisories

Loading
Keycloak's identity-first login flow exposes user information Low
CVE-2026-4633 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages Moderate
CVE-2026-28809 was published for esaml (Erlang) Mar 23, 2026
Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false Moderate
CVE-2026-4628 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching Low
CVE-2026-4539 was published for Pygments (pip) Mar 22, 2026
Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
GHSA-8mr2-f9wf-hcfq was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-rcx4-77x4-hjx5 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
GHSA-vh4c-j2xv-9pv9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress Moderate
GHSA-g839-vp47-wgh8 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse Moderate
GHSA-3r78-rqg8-95gg was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf High
GHSA-9f79-7pw8-3fj8 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class) High
GHSA-rj39-33v7-9xrq was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
GHSA-mxmg-3p7m-2ghr was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
GHSA-vmvw-pwwf-cc2w was published for openclaw (NuGet) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Moderate
GHSA-xh9j-mpc9-2m9p was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows Low
GHSA-cjq8-m7wj-xmq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers Moderate
GHSA-xgwg-m42c-8q62 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication High
GHSA-cxcw-jm67-3wwp was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes High
GHSA-qwmf-95r9-gx9x was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text Moderate
GHSA-w6f4-3v35-qjhj was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks Moderate
GHSA-86jj-29wc-7q2w was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels High
GHSA-xq3g-m3j8-2vmm was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability Moderate
GHSA-q94v-v6m9-jhq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host Moderate
GHSA-3p2x-hjxj-c7rv was published for openclaw (npm) Mar 21, 2026 withdrawn
NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter Moderate
CVE-2026-3864 was published for github.com/kubernetes-csi/csi-driver-nfs (Go) Mar 21, 2026
MindSQL is vulnerable to Code Injection through its ask_db function Low
CVE-2026-4506 was published for mindsql (pip) Mar 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database