GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,340
Maven
5,000+
npm
5,000+
NuGet
1,033
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,498
Swift
61
Unreviewed advisories
All unreviewed
5,000+
42 advisories
Filter by severity
Incomplete List of Disallowed Inputs in Jenkins
Moderate
CVE-2017-2602
was published
for
org.jenkins-ci.main:jenkins-core
(Maven)
May 13, 2022
Incomplete List of Disallowed Inputs in Kubernetes
Moderate
CVE-2021-25737
was published
for
k8s.io/kubernetes
(Go)
Sep 7, 2021
Cortex's Alertmanager can expose local files content via specially crafted config
Moderate
CVE-2022-23536
was published
for
github.com/cortexproject/cortex
(Go)
Dec 19, 2022
KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols
Moderate
CVE-2024-28246
was published
for
katex
(npm)
Mar 25, 2024
Apache NiFi Insufficient Property Validation vulnerability
Moderate
CVE-2023-40037
was published
for
org.apache.nifi:nifi-dbcp-base
(Maven)
Aug 19, 2023
Duplicate Advisory: Remote Code Execution via Malicious Pickle File Bypassing Static Analysis
Moderate
GHSA-vr75-hjh9-7fr6
was published
for
picklescan
(pip)
Mar 3, 2025
•
withdrawn
Picklescan missing detection when calling built-in python library function timeit.timeit()
Moderate
GHSA-v7x6-rv5q-mhwc
was published
for
picklescan
(pip)
Apr 7, 2025
Picklescan Allows Remote Code Execution via Malicious Pickle File Bypassing Static Analysis
Moderate
CVE-2025-1716
was published
for
picklescan
(pip)
Mar 3, 2025
Duplicate Advisory: Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate
Moderate
GHSA-4p4h-9gvq-7xfg
was published
for
picklescan
(pip)
Apr 24, 2025
•
withdrawn
libsodium has Incomplete List of Disallowed Inputs
Moderate
CVE-2025-69277
was published
for
PyNaCl
(Composer)
Dec 31, 2025
Fickling has safety check bypass via REDUCE+BUILD opcode sequence
Moderate
GHSA-mhc9-48gj-9gp3
was published
for
fickling
(pip)
Feb 25, 2026
Craft CMS has Twig Function Blocklist Bypass
Moderate
CVE-2026-28783
was published
for
craftcms/cms
(Composer)
Mar 3, 2026
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
Moderate
GHSA-3h2q-j2v4-6w5r
was published
for
openclaw
(npm)
Mar 9, 2026
fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist
Moderate
GHSA-r48f-3986-4f9c
was published
for
fickling
(pip)
Mar 13, 2026
fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`
Moderate
GHSA-5cxw-w2xg-2m8h
was published
for
fickling
(pip)
Mar 13, 2026
OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)
Moderate
CVE-2026-22175
was published
for
openclaw
(npm)
Mar 2, 2026
Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
Moderate
GHSA-5326-6f73-m96w
was published
for
openclaw
(npm)
Mar 19, 2026
•
withdrawn
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets
Moderate
CVE-2026-32747
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
OpenClaw has allowlist exec-guard bypass via env -S
Moderate
CVE-2026-31992
was published
for
openclaw
(npm)
Mar 3, 2026
Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Moderate
CVE-2026-33628
was published
for
invoiceninja/invoiceninja
(Composer)
Mar 24, 2026
In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
Moderate
CVE-2026-32010
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
Moderate
CVE-2026-32017
was published
for
openclaw
(npm)
Mar 3, 2026
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
GHSA-rf75-g96h-j3rm
was published
for
openclaw
(npm)
Apr 2, 2026
•
withdrawn
OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
CVE-2026-34425
was published
for
openclaw
(npm)
Apr 6, 2026
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Moderate
CVE-2026-39315
was published
for
unhead
(npm)
Apr 9, 2026
ProTip!
Advisories are also available from the
GraphQL API