Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

159 advisories

Loading
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks High
GHSA-j472-gf56-x589 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247 Low
GHSA-8678-w3jw-xfc2 was published for nokogiri (RubyGems) Jun 19, 2026
bilerden Credited to bilerden
OpenClaw: Exec allowlist could miss side effects from transparent command wrappers Low
CVE-2026-53848 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
CVE-2026-53861 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
npm PraisonAI codeMode sandbox escape via Function constructor Critical
GHSA-vmmj-pfw7-fjwp was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
OpenClaw: Shell inline-command parsing could miss an allowlist check High
CVE-2026-53866 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Host environment sanitizer missed two Node.js control variables High
CVE-2026-53864 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-4mpj-78p6-rj59 was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs Critical
GHSA-6v84-v468-3c7f was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: Picklescan does not block ctypes Critical
GHSA-7f79-rvx6-vxc4 was published for picklescan (pip) Jun 17, 2026 withdrawn
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
GHSA-g796-jqmx-wf9q was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables High
GHSA-vr6h-vxqj-3pjx was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks High
GHSA-27pq-2ph8-8x25 was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers Low
GHSA-wrr6-p5r6-474m was published for openclaw (npm) Jun 16, 2026 withdrawn
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output Low
GHSA-8rfp-98v4-mmr6 was published for bleach (pip) Jun 16, 2026
ProTip! Advisories are also available from the GraphQL API