GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
161 advisories
Filter by severity
October CMS has Safe Mode Bypass via Twig Database Write Operations
Moderate
CVE-2026-26274
was published
for
october/october
(Composer)
Apr 21, 2026
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
Moderate
CVE-2026-26067
was published
for
october/system
(Composer)
Apr 21, 2026
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
Moderate
CVE-2026-25525
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41265
was published
for
flowise
(npm)
Apr 18, 2026
OpenClaw: Discord event cover images bypassed sandbox media normalization
Moderate
CVE-2026-43532
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
High
CVE-2026-43584
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
Moderate
CVE-2026-43566
was published
for
openclaw
(npm)
Apr 17, 2026
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code
Moderate
CVE-2026-41206
was published
for
pyspector
(pip)
Apr 16, 2026
Kimai leaks API Token Hash via Invoice Twig Template
Low
GHSA-rh42-6rj2-xwmc
was published
for
kimai/kimai
(Composer)
Apr 14, 2026
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Critical
CVE-2026-34177
was published
for
github.com/canonical/lxd
(Go)
Apr 10, 2026
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
Low
CVE-2026-40077
was published
for
github.com/henrygd/beszel
(Go)
Apr 10, 2026
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
Low
CVE-2026-41915
was published
for
openclaw
(npm)
Apr 9, 2026
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Moderate
CVE-2026-39315
was published
for
unhead
(npm)
Apr 9, 2026
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
High
CVE-2026-42427
was published
for
openclaw
(npm)
Apr 9, 2026
OpenClaw: Shell init-file options could satisfy exec allowlist script matching
Moderate
CVE-2026-41392
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
CVE-2026-34425
was published
for
openclaw
(npm)
Apr 6, 2026
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow
Moderate
CVE-2026-35410
was published
for
directus
(npm)
Apr 4, 2026
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
High
CVE-2026-41369
was published
for
openclaw
(npm)
Apr 3, 2026
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
Moderate
GHSA-8h8f-7cxm-m38j
was published
for
openclaw
(npm)
Apr 2, 2026
•
withdrawn
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
GHSA-rf75-g96h-j3rm
was published
for
openclaw
(npm)
Apr 2, 2026
•
withdrawn
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic
High
CVE-2026-41391
was published
for
openclaw
(npm)
Apr 2, 2026
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the...
High
Unreviewed
CVE-2026-35000
was published
Apr 1, 2026
ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in...
High
Unreviewed
CVE-2026-34430
was published
Apr 1, 2026
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Moderate
CVE-2026-41332
was published
for
openclaw
(npm)
Mar 31, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Moderate
CVE-2026-33628
was published
for
invoiceninja/invoiceninja
(Composer)
Mar 24, 2026
ProTip!
Advisories are also available from the
GraphQL API