Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

52 advisories

Loading
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
CVE-2026-53861 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
GHSA-g796-jqmx-wf9q was published for openclaw (npm) Jun 16, 2026 withdrawn
tonghuaroot Credited to tonghuaroot and nicolas-grekas nicolas-grekas nicolas-grekas
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL Moderate
CVE-2026-22217 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass) Moderate
CVE-2026-32022 was published for openclaw (npm) Mar 3, 2026
athuljayaram Credited to athuljayaram
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
OpenClaw: Discord event cover images bypassed sandbox media normalization Moderate
CVE-2026-43532 was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
CVE-2026-43566 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
nicky-cc Credited to nicky-cc
OpenClaw: Shell init-file options could satisfy exec allowlist script matching Moderate
CVE-2026-41392 was published for openclaw (npm) Apr 7, 2026
cyjhhh Credited to cyjhhh
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
fg0x0 Credited to fg0x0
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation Moderate
GHSA-8h8f-7cxm-m38j was published for openclaw (npm) Apr 2, 2026 withdrawn
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() Moderate
CVE-2026-39315 was published for unhead (npm) Apr 9, 2026
cybe4sent1nel Credited to cybe4sent1nel
OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
CVE-2026-34425 was published for openclaw (npm) Apr 6, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation Moderate
GHSA-rf75-g96h-j3rm was published for openclaw (npm) Apr 2, 2026 withdrawn
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write Moderate
CVE-2026-32017 was published for openclaw (npm) Mar 3, 2026
xelitte777 Credited to xelitte777 and Redgrave961 Redgrave961 Redgrave961
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API