GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
159 advisories
Filter by severity
npm PraisonAI codeMode sandbox escape via Function constructor
Critical
GHSA-vmmj-pfw7-fjwp
was published
for
praisonai
(npm)
Jun 18, 2026
OpenClaw: Shell inline-command parsing could miss an allowlist check
High
CVE-2026-53866
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Host environment sanitizer missed two Node.js control variables
High
CVE-2026-53864
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables
High
GHSA-vr6h-vxqj-3pjx
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output
Low
GHSA-8rfp-98v4-mmr6
was published
for
bleach
(pip)
Jun 16, 2026
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded...
High
Unreviewed
CVE-2026-53836
was published
Jun 13, 2026
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
High
CVE-2026-54090
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jun 12, 2026
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
Moderate
CVE-2026-22217
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
Moderate
CVE-2026-32022
was published
for
openclaw
(npm)
Mar 3, 2026
Fickling has Code Injection vulnerability via pty.spawn()
High
CVE-2025-67748
was published
for
fickling
(pip)
Dec 15, 2025
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
Critical
CVE-2026-47392
was published
for
PraisonAI
(pip)
May 29, 2026
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
High
CVE-2026-45741
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 29, 2026
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
Low
CVE-2026-45753
was published
for
symfony/html-sanitizer
(Composer)
May 28, 2026
Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918,...
Moderate
Unreviewed
CVE-2026-9818
was published
May 28, 2026
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
Moderate
CVE-2026-45066
was published
for
symfony/html-sanitizer
(Composer)
May 27, 2026
Flowise has an MCP Security Bypass that Enables RCE
High
GHSA-m99r-2hxc-cp3q
was published
for
flowise
(npm)
May 14, 2026
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
High
CVE-2026-42590
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 7, 2026
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
High
CVE-2026-43929
was published
for
ssrfcheck
(npm)
May 5, 2026
OpenClaw: Workspace dotenv could override runtime-control environment variables
High
CVE-2026-44114
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
High
CVE-2026-43584
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's...
High
Unreviewed
CVE-2026-45006
was published
May 11, 2026
OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action...
Low
Unreviewed
CVE-2026-44993
was published
May 11, 2026
Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
High
GHSA-xrgf-r9gr-jjjf
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables
High
GHSA-9r9j-3r2w-fg3v
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API