Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,945 advisories

Loading
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing Moderate
GHSA-866c-wwm5-4rj7 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling Moderate
GHSA-5gqg-mqh5-2v39 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path Moderate
GHSA-8px5-2gfr-7ph6 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-ggm6-h3mx-cmmp was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation Moderate
GHSA-82gw-wqw6-r2cf was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch High
GHSA-jqpf-vj28-9v7r was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage Low
GHSA-r849-826x-wgqm was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: ACPX Windows wrapper shell fallback allowed cwd injection in specific paths Moderate
GHSA-h36m-2vh5-x699 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains High
GHSA-3846-mfvc-xwpf was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy Moderate
GHSA-44c9-4rg5-qjgq was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: allowlist exec-guard bypass via env -S High
GHSA-x742-88jj-7hv9 was published for openclaw (npm) Mar 19, 2026 withdrawn
Arbitrary file write via tar traversal in mlflow High
CVE-2025-15031 was published for mlflow (pip) Mar 19, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk Moderate
CVE-2026-33230 was published for nltk (pip) Mar 18, 2026
leduckhuong Credited to leduckhuong
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview High
CVE-2026-33226 was published for budibase (npm) Mar 18, 2026
da7om85 Credited to da7om85
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod Critical
CVE-2026-33211 was published for github.com/tektoncd/pipeline (Go) Mar 18, 2026
1seal Credited to 1seal, vdemeester, afrittoli, and KoreaSecurity vdemeester vdemeester
afrittoli afrittoli KoreaSecurity KoreaSecurity
JustHTML has a Sanitizer Bypass (in Markdown) Moderate
GHSA-3rcm-vjrc-p45j was published for justhtml (pip) Mar 18, 2026
kejcao Credited to kejcao
JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script) Moderate
GHSA-qvc2-mg72-jjhx was published for justhtml (pip) Mar 18, 2026
offset Credited to offset
Unsigned SAML LogoutRequest Acceptance in gosaml2 High
GHSA-pcgw-qcv5-h8ch was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
gosaml2 CBC Padding Panic — Unauthenticated Process Crash High
GHSA-hwqm-qvj9-4jr2 was published for github.com/russellhaering/gosaml2 (Go) Mar 18, 2026
xclow3n Credited to xclow3n
validateSignature Loop Variable Capture Signature Bypass in goxmldsig High
CVE-2026-33487 was published for github.com/russellhaering/goxmldsig (Go) Mar 18, 2026
tomasilluminati Credited to tomasilluminati
Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS Moderate
GHSA-rf74-v2fm-23pw was published for nltk (pip) Mar 18, 2026
ZeroXJacks Credited to ZeroXJacks
mo has a XSS via inline SVG script tags in Markdown rendering Low
GHSA-vccx-p757-pv6h was published for github.com/k1LoW/mo (Go) Mar 18, 2026
yagihash Credited to yagihash
SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering High
CVE-2026-33204 was published for kelvinmo/simplejwt (Composer) Mar 18, 2026
edoardottt Credited to edoardottt
free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques High
CVE-2026-33192 was published for github.com/free5gc/udm (Go) Mar 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database