Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

52 advisories

Loading
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
CVE-2026-53861 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
GHSA-g796-jqmx-wf9q was published for openclaw (npm) Jun 16, 2026 withdrawn
tonghuaroot Credited to tonghuaroot and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
OpenClaw: Discord event cover images bypassed sandbox media normalization Moderate
CVE-2026-43532 was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
CVE-2026-43566 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
fg0x0 Credited to fg0x0
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() Moderate
CVE-2026-39315 was published for unhead (npm) Apr 9, 2026
cybe4sent1nel Credited to cybe4sent1nel
OpenClaw: Shell init-file options could satisfy exec allowlist script matching Moderate
CVE-2026-41392 was published for openclaw (npm) Apr 7, 2026
cyjhhh Credited to cyjhhh
OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
CVE-2026-34425 was published for openclaw (npm) Apr 6, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation Moderate
GHSA-8h8f-7cxm-m38j was published for openclaw (npm) Apr 2, 2026 withdrawn
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
GHSA-rf75-g96h-j3rm was published for openclaw (npm) Apr 2, 2026 withdrawn
nicky-cc Credited to nicky-cc
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items Moderate
CVE-2026-33628 was published for invoiceninja/invoiceninja (Composer) Mar 24, 2026
morimori-dev Credited to morimori-dev
Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Moderate
GHSA-5326-6f73-m96w was published for openclaw (npm) Mar 19, 2026 withdrawn
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets Moderate
CVE-2026-32747 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE` Moderate
GHSA-5cxw-w2xg-2m8h was published for fickling (pip) Mar 13, 2026
mldangelo Credited to mldangelo
ProTip! Advisories are also available from the GraphQL API