GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
159 advisories
Filter by severity
OpenClaw: Discord event cover images bypassed sandbox media normalization
Moderate
CVE-2026-43532
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
Moderate
CVE-2026-43566
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Moderate
CVE-2026-41332
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell...
High
Unreviewed
CVE-2026-44115
was published
May 6, 2026
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where...
Critical
Unreviewed
CVE-2026-43578
was published
May 6, 2026
OpenClaw: Shell init-file options could satisfy exec allowlist script matching
Moderate
CVE-2026-41392
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
High
CVE-2026-41369
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
Low
CVE-2026-41915
was published
for
openclaw
(npm)
Apr 9, 2026
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic
High
CVE-2026-41391
was published
for
openclaw
(npm)
Apr 2, 2026
Duplicate Advisory: OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Moderate
GHSA-wcm7-94wg-h74h
was published
for
openclaw
(npm)
Apr 24, 2026
•
withdrawn
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four...
Moderate
Unreviewed
CVE-2026-41361
was published
Apr 24, 2026
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
High
CVE-2026-42427
was published
for
openclaw
(npm)
Apr 9, 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41264
was published
for
flowise
(npm)
Apr 21, 2026
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation...
Critical
Unreviewed
CVE-2026-34415
was published
Apr 22, 2026
October CMS has Safe Mode Bypass via Twig Database Write Operations
Moderate
CVE-2026-26274
was published
for
october/october
(Composer)
Apr 21, 2026
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
Moderate
CVE-2026-26067
was published
for
october/system
(Composer)
Apr 21, 2026
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41265
was published
for
flowise
(npm)
Apr 18, 2026
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code
Moderate
CVE-2026-41206
was published
for
pyspector
(pip)
Apr 16, 2026
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
Moderate
CVE-2026-25525
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow
Moderate
CVE-2026-35410
was published
for
directus
(npm)
Apr 4, 2026
Kimai leaks API Token Hash via Invoice Twig Template
Low
GHSA-rh42-6rj2-xwmc
was published
for
kimai/kimai
(Composer)
Apr 14, 2026
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
Moderate
GHSA-8h8f-7cxm-m38j
was published
for
openclaw
(npm)
Apr 2, 2026
•
withdrawn
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Critical
CVE-2026-34177
was published
for
github.com/canonical/lxd
(Go)
Apr 10, 2026
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
Low
CVE-2026-40077
was published
for
github.com/henrygd/beszel
(Go)
Apr 10, 2026
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Moderate
CVE-2026-39315
was published
for
unhead
(npm)
Apr 9, 2026
ProTip!
Advisories are also available from the
GraphQL API