Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,215 advisories

Loading
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables Moderate
GHSA-7wv4-cc7p-jhxc was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Discord event cover images bypassed sandbox media normalization Moderate
GHSA-c9h3-5p7r-mrjh was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Empty approver lists could grant explicit approval authorization Moderate
GHSA-49cg-279w-m73x was published for openclaw (npm) Apr 17, 2026
anshumanbh Credited to anshumanbh
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input Moderate
GHSA-7g8c-cfr3-vqqr was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
GHSA-vfp4-8x56-j7c5 was published for openclaw (npm) Apr 17, 2026
feiyang666 Credited to feiyang666
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms Moderate
GHSA-j6c7-3h5x-99g9 was published for openclaw (npm) Apr 17, 2026
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands Moderate
GHSA-5gjc-grvm-m88j was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks Low
GHSA-gc9r-867r-j85f was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay Low
GHSA-r77c-2cmr-7p47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Heartbeat owner downgrade missed local async exec completion events Moderate
GHSA-g375-h3v6-4873 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Voice-call realtime WebSocket accepted oversized frames High
GHSA-vw3h-q6xq-jjm5 was published for openclaw (npm) Apr 17, 2026
G0odUser Credited to G0odUser
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
GHSA-g2hm-779g-vm32 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation Moderate
GHSA-c4qm-58hj-j6pj was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases High
GHSA-8372-7vhw-cm6q was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context Moderate
GHSA-jwrq-8g5x-5fhm was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials High
GHSA-5fw2-mwhh-9947 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs High
GHSA-w47f-j8rh-wx87 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) High
GHSA-3prp-9gf7-4rxx was published for flowise (npm) Apr 17, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing High
CVE-2026-40931 was published for compressing (npm) Apr 17, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures Low
CVE-2026-35402 was published for mcp-neo4j-cypher (pip) Apr 17, 2026
yotampe-pluto Credited to yotampe-pluto
Sentry: Improper authentication on SAML SSO process allows user identity linking Critical
CVE-2026-27197 was published for sentry (pip) Apr 17, 2026
Muhammad-Qasim-Munir Credited to Muhammad-Qasim-Munir
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration Critical
CVE-2026-23500 was published for dolibarr/dolibarr (Composer) Apr 17, 2026
lukasz-rybak Credited to lukasz-rybak
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials Moderate
GHSA-92jp-89mq-4374 was published for openclaw (npm) Apr 17, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Bouncy Castle has an LDAP injection Moderate
CVE-2026-0636 was published for org.bouncycastle:bcprov-jdk14 (Maven) Apr 17, 2026
Bouncy Castle Uncontrolled Resource Consumption vulnerability High
CVE-2026-3505 was published for org.bouncycastle:bcpg-jdk12 (Maven) Apr 17, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database