Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

46 advisories

Loading
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks High
GHSA-j472-gf56-x589 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
OpenClaw: Shell inline-command parsing could miss an allowlist check High
CVE-2026-53866 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Host environment sanitizer missed two Node.js control variables High
CVE-2026-53864 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables High
GHSA-vr6h-vxqj-3pjx was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks High
GHSA-27pq-2ph8-8x25 was published for openclaw (npm) Jun 16, 2026 withdrawn
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection High
CVE-2026-54090 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 12, 2026
RajChowdhury240 Credited to RajChowdhury240
Spatie Laravel Media Library contains a file upload restriction bypass High
CVE-2026-48557 was published for spatie/laravel-medialibrary (Composer) May 29, 2026
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes High
CVE-2026-45741 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
yuui25 Credited to yuui25
Flowise has an MCP Security Bypass that Enables RCE High
GHSA-m99r-2hxc-cp3q was published for flowise (npm) May 14, 2026
cn-panda Credited to cn-panda
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist High
CVE-2026-42590 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
JohannesLks Credited to JohannesLks
Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
GHSA-xrgf-r9gr-jjjf was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables High
GHSA-9r9j-3r2w-fg3v was published for openclaw (npm) May 6, 2026 withdrawn
hits313 Credited to hits313
OpenClaw: Workspace dotenv could override runtime-control environment variables High
CVE-2026-44114 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
CVE-2026-43584 was published for openclaw (npm) Apr 17, 2026
feiyang666 Credited to feiyang666
tdjackey Credited to tdjackey
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: allowlist exec-guard bypass via env -S High
GHSA-x742-88jj-7hv9 was published for openclaw (npm) Mar 19, 2026 withdrawn
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution High
CVE-2026-33139 was published for pyspector (pip) Mar 18, 2026
Shinigami81 Credited to Shinigami81
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects High
CVE-2026-32913 was published for openclaw (npm) Mar 9, 2026
Rickidevs Credited to Rickidevs
ProTip! Advisories are also available from the GraphQL API