GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
66 advisories
Filter by severity
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
High
CVE-2026-54070
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Jul 10, 2026
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv...
High
Unreviewed
CVE-2026-59261
was published
Jul 8, 2026
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
High
CVE-2026-49825
was published
for
lxml_html_clean
(pip)
Jul 8, 2026
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard...
High
Unreviewed
CVE-2026-14534
was published
Jul 4, 2026
Spatie Laravel Media Library contains a file upload restriction bypass
High
CVE-2026-48557
was published
for
spatie/laravel-medialibrary
(Composer)
May 29, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
High
GHSA-j472-gf56-x589
was published
for
openclaw
(npm)
Jul 2, 2026
Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing...
High
Unreviewed
CVE-2025-71355
was published
Jul 1, 2026
jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
High
CVE-2026-54512
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
High
CVE-2026-54513
was published
for
com.fasterxml.jackson.core:jackson-databind
(Maven)
Jun 23, 2026
picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the...
High
Unreviewed
CVE-2025-71351
was published
Jun 21, 2026
Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks
High
GHSA-27pq-2ph8-8x25
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Picklescan does not block ctypes
High
CVE-2025-71323
was published
for
picklescan
(pip)
Dec 29, 2025
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
High
CVE-2026-53875
was published
for
picklescan
(pip)
Feb 18, 2026
Picklescan has Incomplete List of Disallowed Inputs
High
CVE-2025-71320
was published
for
picklescan
(pip)
Dec 29, 2025
OpenClaw: Shell inline-command parsing could miss an allowlist check
High
CVE-2026-53866
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Host environment sanitizer missed two Node.js control variables
High
CVE-2026-53864
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables
High
GHSA-vr6h-vxqj-3pjx
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded...
High
Unreviewed
CVE-2026-53836
was published
Jun 13, 2026
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
High
CVE-2026-54090
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Jun 12, 2026
Fickling has Code Injection vulnerability via pty.spawn()
High
CVE-2025-67748
was published
for
fickling
(pip)
Dec 15, 2025
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
High
CVE-2026-45741
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 29, 2026
Flowise has an MCP Security Bypass that Enables RCE
High
GHSA-m99r-2hxc-cp3q
was published
for
flowise
(npm)
May 14, 2026
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
High
CVE-2026-42590
was published
for
github.com/gotenberg/gotenberg/v8
(Go)
May 7, 2026
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
High
CVE-2026-43929
was published
for
ssrfcheck
(npm)
May 5, 2026
OpenClaw: Workspace dotenv could override runtime-control environment variables
High
CVE-2026-44114
was published
for
openclaw
(npm)
Apr 25, 2026
ProTip!
Advisories are also available from the
GraphQL API