Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

159 advisories

Loading
npm PraisonAI codeMode sandbox escape via Function constructor Critical
GHSA-vmmj-pfw7-fjwp was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
OpenClaw: Shell inline-command parsing could miss an allowlist check High
CVE-2026-53866 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Host environment sanitizer missed two Node.js control variables High
CVE-2026-53864 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables High
GHSA-vr6h-vxqj-3pjx was published for openclaw (npm) Jun 16, 2026 withdrawn
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output Low
GHSA-8rfp-98v4-mmr6 was published for bleach (pip) Jun 16, 2026
tonghuaroot Credited to tonghuaroot and nicolas-grekas nicolas-grekas nicolas-grekas
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection High
CVE-2026-54090 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 12, 2026
RajChowdhury240 Credited to RajChowdhury240
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL Moderate
CVE-2026-22217 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass) Moderate
CVE-2026-32022 was published for openclaw (npm) Mar 3, 2026
athuljayaram Credited to athuljayaram
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 Credited to ajohnston9 and 0x00nier 0x00nier 0x00nier
q1uf3ng Credited to q1uf3ng
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes High
CVE-2026-45741 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
yuui25 Credited to yuui25
nicolas-grekas Credited to nicolas-grekas
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
Flowise has an MCP Security Bypass that Enables RCE High
GHSA-m99r-2hxc-cp3q was published for flowise (npm) May 14, 2026
cn-panda Credited to cn-panda
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist High
CVE-2026-42590 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
JohannesLks Credited to JohannesLks
hits313 Credited to hits313
OpenClaw: Workspace dotenv could override runtime-control environment variables High
CVE-2026-44114 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
CVE-2026-43584 was published for openclaw (npm) Apr 17, 2026
feiyang666 Credited to feiyang666
Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
GHSA-xrgf-r9gr-jjjf was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables High
GHSA-9r9j-3r2w-fg3v was published for openclaw (npm) May 6, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API