Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

159 advisories

Loading
OpenClaw: Discord event cover images bypassed sandbox media normalization Moderate
CVE-2026-43532 was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
CVE-2026-43566 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
nicky-cc Credited to nicky-cc
OpenClaw: Shell init-file options could satisfy exec allowlist script matching Moderate
CVE-2026-41392 was published for openclaw (npm) Apr 7, 2026
cyjhhh Credited to cyjhhh
tdjackey Credited to tdjackey
boy-hack Credited to boy-hack
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation... Critical Unreviewed
CVE-2026-34415 was published Apr 22, 2026
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
CVE-2026-41265 was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
fg0x0 Credited to fg0x0
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Kimai leaks API Token Hash via Invoice Twig Template Low
GHSA-rh42-6rj2-xwmc was published for kimai/kimai (Composer) Apr 14, 2026
hett-patell Credited to hett-patell
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation Moderate
GHSA-8h8f-7cxm-m38j was published for openclaw (npm) Apr 2, 2026 withdrawn
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf Critical
CVE-2026-34177 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter Low
CVE-2026-40077 was published for github.com/henrygd/beszel (Go) Apr 10, 2026
marduc812 Credited to marduc812, kodareef5, and lakshayyverma kodareef5 kodareef5
lakshayyverma lakshayyverma
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() Moderate
CVE-2026-39315 was published for unhead (npm) Apr 9, 2026
cybe4sent1nel Credited to cybe4sent1nel
ProTip! Advisories are also available from the GraphQL API