Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

159 advisories

Loading
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
Spatie Laravel Media Library contains a file upload restriction bypass High
CVE-2026-48557 was published for spatie/laravel-medialibrary (Composer) May 29, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks High
GHSA-j472-gf56-x589 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247 Low
GHSA-8678-w3jw-xfc2 was published for nokogiri (RubyGems) Jun 19, 2026
bilerden Credited to bilerden
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks High
GHSA-27pq-2ph8-8x25 was published for openclaw (npm) Jun 16, 2026 withdrawn
OpenClaw: Exec allowlist could miss side effects from transparent command wrappers Low
CVE-2026-53848 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers Low
GHSA-wrr6-p5r6-474m was published for openclaw (npm) Jun 16, 2026 withdrawn
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
CVE-2026-53861 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
GHSA-g796-jqmx-wf9q was published for openclaw (npm) Jun 16, 2026 withdrawn
Picklescan does not block ctypes High
CVE-2025-71323 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Duplicate Advisory: Picklescan does not block ctypes Critical
GHSA-7f79-rvx6-vxc4 was published for picklescan (pip) Jun 17, 2026 withdrawn
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
CVE-2026-53875 was published for picklescan (pip) Feb 18, 2026
zpbrent Credited to zpbrent
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
CVE-2026-53873 was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-4mpj-78p6-rj59 was published for picklescan (pip) Jun 17, 2026 withdrawn
Picklescan has Incomplete List of Disallowed Inputs High
CVE-2025-71320 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Duplicate Advisory: Picklescan has Incomplete List of Disallowed Inputs Critical
GHSA-6v84-v468-3c7f was published for picklescan (pip) Jun 17, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API