Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

113 advisories

Loading
OpenClaw: Workspace dotenv could override runtime-control environment variables Moderate
GHSA-hxvm-xjvf-93f3 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four... Moderate Unreviewed
CVE-2026-41361 was published Apr 24, 2026
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where... Moderate Unreviewed
CVE-2026-41332 was published Apr 24, 2026
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation... Critical Unreviewed
CVE-2026-34415 was published Apr 22, 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
CVE-2026-41265 was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
GHSA-vfp4-8x56-j7c5 was published for openclaw (npm) Apr 17, 2026
feiyang666 Credited to feiyang666
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code Moderate
CVE-2026-41206 was published for pyspector (pip) Apr 16, 2026
fg0x0 Credited to fg0x0
Kimai leaks API Token Hash via Invoice Twig Template Low
GHSA-rh42-6rj2-xwmc was published for kimai/kimai (Composer) Apr 14, 2026
hett-patell Credited to hett-patell
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf Critical
CVE-2026-34177 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter Low
CVE-2026-40077 was published for github.com/henrygd/beszel (Go) Apr 10, 2026
marduc812 Credited to marduc812, kodareef5, and lakshayyverma kodareef5 kodareef5
lakshayyverma lakshayyverma
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) Low
CVE-2026-41915 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() Moderate
CVE-2026-39315 was published for unhead (npm) Apr 9, 2026
cybe4sent1nel Credited to cybe4sent1nel
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) High
CVE-2026-42427 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
OpenClaw: Shell init-file options could satisfy exec allowlist script matching Moderate
CVE-2026-41392 was published for openclaw (npm) Apr 7, 2026
cyjhhh Credited to cyjhhh
OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
CVE-2026-34425 was published for openclaw (npm) Apr 6, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables Moderate
GHSA-cg7q-fg22-4g98 was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation Moderate
GHSA-8h8f-7cxm-m38j was published for openclaw (npm) Apr 2, 2026 withdrawn
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
GHSA-rf75-g96h-j3rm was published for openclaw (npm) Apr 2, 2026 withdrawn
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the... High Unreviewed
CVE-2026-35000 was published Apr 1, 2026
ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in... High Unreviewed
CVE-2026-34430 was published Apr 1, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database