Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,361
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,554
Pub
12
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,411 advisories

Loading
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy Moderate
GHSA-39mp-545q-w789 was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface High
GHSA-xp9r-prpg-373r was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement Moderate
GHSA-vqvg-86cc-cg83 was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send High
GHSA-94pw-c6m8-p9p9 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
OpenClaw has an Arbitrary Malicious Code Execution Vulnerability High
GHSA-m3mh-3mpg-37hw was published for openclaw (npm) Mar 30, 2026
ChangeYourWay Credited to ChangeYourWay
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope Moderate
GHSA-68f8-9mhj-h2mp was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant) Moderate
GHSA-w6m8-cqvj-pg5v was published for openclaw (npm) Mar 30, 2026
OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22) High
GHSA-hr5v-j9h9-xjhg was published for openclaw (npm) Mar 30, 2026
YLChen-007 Credited to YLChen-007
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` Moderate
GHSA-3298-56p6-rpw2 was published for openclaw (npm) Mar 30, 2026
YLChen-007 Credited to YLChen-007
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
LiveQuery protected field leak via shared mutable state across concurrent subscribers High
CVE-2026-34363 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node Critical
CVE-2026-34156 was published for @nocobase/plugin-workflow-javascript (npm) Mar 30, 2026
onurcangnc Credited to onurcangnc
@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files High
CVE-2026-33949 was published for @tinacms/graphql (npm) Mar 30, 2026
aarjubh Credited to aarjubh
OpenClaw has ACP CLI approval prompt ANSI escape sequence injection Moderate
GHSA-4hmj-39m8-jwc7 was published for openclaw (npm) Mar 29, 2026
nexrin Credited to nexrin
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Moderate
GHSA-j4c9-w69r-cw33 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token Moderate
GHSA-mf5g-6r6f-ghhm was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback Moderate
GHSA-rf6h-5gpw-qrgq was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` High
GHSA-h4jx-hjr3-fhgc was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing Moderate
GHSA-77w2-crqv-cmv3 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation Moderate
GHSA-3h52-cx59-c456 was published for openclaw (npm) Mar 29, 2026
tdjackey Credited to tdjackey
OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) High
GHSA-rhfg-j8jq-7v2h was published for openclaw (npm) Mar 29, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Moderate
GHSA-52q4-3xjc-6778 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility High
GHSA-q2qc-744p-66r2 was published for openclaw (npm) Mar 29, 2026
nexrin Credited to nexrin
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope Moderate
GHSA-5jvj-hxmh-6h6j was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
MikroORM has Prototype Pollution in Utils.merge High
CVE-2026-34221 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database