GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
159 advisories
Filter by severity
OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
CVE-2026-34425
was published
for
openclaw
(npm)
Apr 6, 2026
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
GHSA-rf75-g96h-j3rm
was published
for
openclaw
(npm)
Apr 2, 2026
•
withdrawn
ChangeDetection.io versions prior to 0.54.7 contain a protection bypass vulnerability in the...
High
Unreviewed
CVE-2026-35000
was published
Apr 1, 2026
ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in...
High
Unreviewed
CVE-2026-34430
was published
Apr 1, 2026
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
Moderate
CVE-2026-32017
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
High
CVE-2026-32913
was published
for
openclaw
(npm)
Mar 9, 2026
In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
Moderate
CVE-2026-32010
was published
for
openclaw
(npm)
Mar 3, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Moderate
CVE-2026-33628
was published
for
invoiceninja/invoiceninja
(Composer)
Mar 24, 2026
OpenClaw has allowlist exec-guard bypass via env -S
Moderate
CVE-2026-31992
was published
for
openclaw
(npm)
Mar 3, 2026
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets
Moderate
CVE-2026-32747
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution
High
CVE-2026-33139
was published
for
pyspector
(pip)
Mar 18, 2026
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)
Critical
CVE-2026-32940
was published
for
github.com/siyuan-note/siyuan
(Go)
Mar 17, 2026
Duplicate Advisory: allowlist exec-guard bypass via env -S
High
GHSA-x742-88jj-7hv9
was published
for
openclaw
(npm)
Mar 19, 2026
•
withdrawn
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
Low
CVE-2026-31996
was published
for
openclaw
(npm)
Feb 19, 2026
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
Low
CVE-2026-31993
was published
for
openclaw
(npm)
Mar 2, 2026
Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
Moderate
GHSA-5326-6f73-m96w
was published
for
openclaw
(npm)
Mar 19, 2026
•
withdrawn
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
Moderate
CVE-2026-22175
was published
for
openclaw
(npm)
Mar 2, 2026
fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`
Moderate
GHSA-5cxw-w2xg-2m8h
was published
for
fickling
(pip)
Mar 13, 2026
fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist
Moderate
GHSA-r48f-3986-4f9c
was published
for
fickling
(pip)
Mar 13, 2026
OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode
High
CVE-2026-32059
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
Moderate
GHSA-3h2q-j2v4-6w5r
was published
for
openclaw
(npm)
Mar 9, 2026
SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality
High
GHSA-5r2p-pjr8-7fh7
was published
for
sagemaker
(pip)
Mar 5, 2026
Fickling missing RCE-capable modules in UNSAFE_IMPORTS
High
GHSA-5hwf-rc88-82xm
was published
for
fickling
(pip)
Mar 4, 2026
Craft CMS has Twig Function Blocklist Bypass
Moderate
CVE-2026-28783
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
PickleScan has multiple stdlib modules with direct RCE not in blocklist
Critical
GHSA-g38g-8gr9-h9xp
was published
for
picklescan
(pip)
Mar 3, 2026
ProTip!
Advisories are also available from the
GraphQL API