Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

67 advisories

Loading
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests Moderate
GHSA-h2vw-ph2c-jvwf was published for openclaw (npm) Apr 25, 2026
nexrin Credited to nexrin
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables Moderate
GHSA-7wv4-cc7p-jhxc was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows... Moderate Unreviewed
CVE-2026-0232 was published Apr 13, 2026
Local privilege escalation due to improper handling of environment variables. The following... High Unreviewed
CVE-2026-33092 was published Apr 10, 2026
Spring Cloud Gateway's SSL bundle configuration silently bypassed High
CVE-2026-22750 was published for org.springframework.cloud:spring-cloud-gateway (Maven) Apr 10, 2026
scottfrederick Credited to scottfrederick
An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0... Moderate Unreviewed
CVE-2026-30816 was published Apr 8, 2026
An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows... Moderate Unreviewed
CVE-2026-30817 was published Apr 8, 2026
OpenClaw: Workspace `.env` can override the bundled plugin trust root High
CVE-2026-41396 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code High
GHSA-3qpv-xf3v-mm45 was published for openclaw (npm) Apr 2, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw has Inconsistent Host Exec Environment Override Sanitization High
CVE-2026-35650 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface Critical
CVE-2026-30960 was published for rssn (Rust) Mar 10, 2026
panayang Credited to panayang
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots Moderate
GHSA-j425-whc4-4jgc was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey, SnailSploit, and zpbrent SnailSploit SnailSploit
zpbrent zpbrent
Dell PowerScale OneFS, versions 9.10.0.0 through 9.10.1.5 and versions 9.11.0.0 through 9.12.0.1,... Low Unreviewed
CVE-2026-21422 was published Mar 4, 2026
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class) High
CVE-2026-32056 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands High
GHSA-w9cg-v44m-4qv8 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths Moderate
GHSA-5h2c-8v84-qpvr was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's config env vars allowed startup env injection into service runtime Moderate
CVE-2026-22177 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints Moderate
CVE-2026-22169 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE) High
CVE-2026-32003 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows Low
CVE-2026-32058 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
CVE-2026-4039 was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
eBay API MCP Server Affected by Environment Variable Injection High
CVE-2026-27203 was published for ebay-mcp (npm) Feb 19, 2026
nedlir Credited to nedlir
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a... Moderate Unreviewed
CVE-2025-13091 was published Feb 19, 2026
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to... Moderate Unreviewed
CVE-2026-0495 was published Jan 13, 2026
Taguette password reset link poisoning High
CVE-2025-62527 was published for taguette (pip) Oct 20, 2025
emilvirkki Credited to emilvirkki
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database