Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

66 advisories

Loading
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers High
CVE-2026-54070 was published for github.com/siyuan-note/siyuan/kernel (Go) Jul 10, 2026
kah-ja Credited to kah-ja
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes High
CVE-2026-49825 was published for lxml_html_clean (pip) Jul 8, 2026
glefait Credited to glefait, frenzymadness, and scoder frenzymadness frenzymadness
scoder scoder
Spatie Laravel Media Library contains a file upload restriction bypass High
CVE-2026-48557 was published for spatie/laravel-medialibrary (Composer) May 29, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks High
GHSA-j472-gf56-x589 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation High
CVE-2026-54512 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
caveeroo Credited to caveeroo, omkhar, and 75ACOL omkhar omkhar
75ACOL 75ACOL
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) High
CVE-2026-54513 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Jun 23, 2026
omkhar Credited to omkhar
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks High
GHSA-27pq-2ph8-8x25 was published for openclaw (npm) Jun 16, 2026 withdrawn
Picklescan does not block ctypes High
CVE-2025-71323 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER High
CVE-2026-53875 was published for picklescan (pip) Feb 18, 2026
zpbrent Credited to zpbrent
Picklescan has Incomplete List of Disallowed Inputs High
CVE-2025-71320 was published for picklescan (pip) Dec 29, 2025
0x-Apollyon Credited to 0x-Apollyon
OpenClaw: Shell inline-command parsing could miss an allowlist check High
CVE-2026-53866 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Host environment sanitizer missed two Node.js control variables High
CVE-2026-53864 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables High
GHSA-vr6h-vxqj-3pjx was published for openclaw (npm) Jun 16, 2026 withdrawn
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection High
CVE-2026-54090 was published for github.com/filebrowser/filebrowser/v2 (Go) Jun 12, 2026
RajChowdhury240 Credited to RajChowdhury240
Fickling has Code Injection vulnerability via pty.spawn() High
CVE-2025-67748 was published for fickling (pip) Dec 15, 2025
ajohnston9 Credited to ajohnston9 and 0x00nier 0x00nier 0x00nier
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes High
CVE-2026-45741 was published for github.com/gotenberg/gotenberg/v8 (Go) May 29, 2026
yuui25 Credited to yuui25
Flowise has an MCP Security Bypass that Enables RCE High
GHSA-m99r-2hxc-cp3q was published for flowise (npm) May 14, 2026
cn-panda Credited to cn-panda
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist High
CVE-2026-42590 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
JohannesLks Credited to JohannesLks
hits313 Credited to hits313
OpenClaw: Workspace dotenv could override runtime-control environment variables High
CVE-2026-44114 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
ProTip! Advisories are also available from the GraphQL API