Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

159 advisories

Loading
OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
CVE-2026-34425 was published for openclaw (npm) Apr 6, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
GHSA-rf75-g96h-j3rm was published for openclaw (npm) Apr 2, 2026 withdrawn
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write Moderate
CVE-2026-32017 was published for openclaw (npm) Mar 3, 2026
xelitte777 Credited to xelitte777 and Redgrave961 Redgrave961 Redgrave961
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects High
CVE-2026-32913 was published for openclaw (npm) Mar 9, 2026
Rickidevs Credited to Rickidevs
tdjackey Credited to tdjackey
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
OpenClaw has allowlist exec-guard bypass via env -S Moderate
CVE-2026-31992 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets Moderate
CVE-2026-32747 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution High
CVE-2026-33139 was published for pyspector (pip) Mar 18, 2026
Shinigami81 Credited to Shinigami81
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) Critical
CVE-2026-32940 was published for github.com/siyuan-note/siyuan (Go) Mar 17, 2026
vnykmshr Credited to vnykmshr
Duplicate Advisory: allowlist exec-guard bypass via env -S High
GHSA-x742-88jj-7hv9 was published for openclaw (npm) Mar 19, 2026 withdrawn
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
CVE-2026-31996 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Low
CVE-2026-31993 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Moderate
GHSA-5326-6f73-m96w was published for openclaw (npm) Mar 19, 2026 withdrawn
jiseoung Credited to jiseoung
fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE` Moderate
GHSA-5cxw-w2xg-2m8h was published for fickling (pip) Mar 13, 2026
mldangelo Credited to mldangelo
fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist Moderate
GHSA-r48f-3986-4f9c was published for fickling (pip) Mar 13, 2026
fg0x0 Credited to fg0x0
tdjackey Credited to tdjackey
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers Moderate
GHSA-3h2q-j2v4-6w5r was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality High
GHSA-5r2p-pjr8-7fh7 was published for sagemaker (pip) Mar 5, 2026
daridor9 Credited to daridor9
Fickling missing RCE-capable modules in UNSAFE_IMPORTS High
GHSA-5hwf-rc88-82xm was published for fickling (pip) Mar 4, 2026
yash2998chhabria Credited to yash2998chhabria
Craft CMS has Twig Function Blocklist Bypass Moderate
CVE-2026-28783 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
ProTip! Advisories are also available from the GraphQL API