GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
102
GitHub Actions
54
Go
4,335
Maven
5,000+
npm
5,000+
NuGet
1,031
pip
5,000+
Pub
13
RubyGems
1,122
Rust
1,497
Swift
61
Unreviewed advisories
All unreviewed
5,000+
46 advisories
Filter by severity
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
High
CVE-2026-49825
was published
for
lxml_html_clean
(pip)
Jul 8, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
High
GHSA-j472-gf56-x589
was published
for
openclaw
(npm)
Jul 2, 2026
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
High
CVE-2026-54513
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
OpenClaw: Shell inline-command parsing could miss an allowlist check
High
CVE-2026-53866
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Host environment sanitizer missed two Node.js control variables
High
CVE-2026-53864
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables
High
GHSA-vr6h-vxqj-3pjx
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks
High
GHSA-27pq-2ph8-8x25
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
High
CVE-2026-54090
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jun 12, 2026
Spatie Laravel Media Library contains a file upload restriction bypass
High
CVE-2026-48557
was published
for
spatie/laravel-medialibrary
(Composer)
May 29, 2026
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
High
CVE-2026-45741
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 29, 2026
Flowise has an MCP Security Bypass that Enables RCE
High
GHSA-m99r-2hxc-cp3q
was published
for
flowise
(npm)
May 14, 2026
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
High
CVE-2026-42590
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 7, 2026
Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
High
GHSA-xrgf-r9gr-jjjf
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables
High
GHSA-9r9j-3r2w-fg3v
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
High
CVE-2026-43929
was published
for
ssrfcheck
(npm)
May 5, 2026
OpenClaw: Workspace dotenv could override runtime-control environment variables
High
CVE-2026-44114
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables
High
CVE-2026-43584
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
High
CVE-2026-42427
was published
for
openclaw
(npm)
Apr 9, 2026
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
High
CVE-2026-41369
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic
High
CVE-2026-41391
was published
for
openclaw
(npm)
Apr 2, 2026
Duplicate Advisory: allowlist exec-guard bypass via env -S
High
GHSA-x742-88jj-7hv9
was published
for
openclaw
(npm)
Mar 19, 2026
•
withdrawn
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution
High
CVE-2026-33139
was published
for
pyspector
(pip)
Mar 18, 2026
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
High
CVE-2026-32913
was published
for
openclaw
(npm)
Mar 9, 2026
ProTip!
Advisories are also available from the
GraphQL API