Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

128 advisories

Loading
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes Critical
CVE-2026-33807 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Multiple security fixes in justhtml Low
GHSA-4p64-v8f5-r2gx was published for justhtml (pip) Apr 14, 2026
EmilStenstrom Credited to EmilStenstrom
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config Low
CVE-2026-41388 was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing Moderate
CVE-2026-32762 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass. Moderate
CVE-2026-26961 was published for rack (RubyGems) Apr 2, 2026
CodeByMoriarty Credited to CodeByMoriarty, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
GHSA-mxmg-3p7m-2ghr was published for openclaw (npm) Mar 21, 2026 withdrawn
Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk High
GHSA-q382-vc8q-7jhj was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
anaximand3r Credited to anaximand3r
astral-tokio-tar insufficiently validates PAX extensions during extraction Moderate
CVE-2026-32766 was published for astral-tokio-tar (Rust) Mar 17, 2026
woodruffw Credited to woodruffw and xokdvium xokdvium xokdvium
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv High
CVE-2026-32971 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run allow-always persistence included shell-commented payload tails Moderate
GHSA-9q2p-vc84-2rwm was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating Low
CVE-2026-27183 was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation Moderate
GHSA-796m-2973-wc5q was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
tdjackey Credited to tdjackey
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
CVE-2026-32065 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists Moderate
GHSA-392f-ggf5-fp3c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity High
CVE-2026-27896 was published for github.com/modelcontextprotocol/go-sdk (Go) Feb 26, 2026
anaximand3r Credited to anaximand3r
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
Fastify's Content-Type header tab character allows body validation bypass High
CVE-2026-25223 was published for fastify (npm) Feb 2, 2026
jsumners Credited to jsumners
Path Normalization Bypass in Traefik Router + Middleware Rules Moderate
CVE-2025-66490 was published for github.com/traefik/traefik (Go) Dec 8, 2025
ShadoooooW Credited to ShadoooooW
ProTip! Advisories are also available from the GraphQL API