GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
52 advisories
Filter by severity
n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security...
Moderate
Unreviewed
CVE-2026-56777
was published
Jul 1, 2026
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags
Moderate
CVE-2026-53861
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags
Moderate
GHSA-g796-jqmx-wf9q
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Moderate
CVE-2026-48736
was published
for
symfony/http-client
(Composer)
Jun 15, 2026
OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL
Moderate
CVE-2026-22217
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
Moderate
CVE-2026-32022
was published
for
openclaw
(npm)
Mar 3, 2026
Roundcube's HTML sanitization path for message rendering allows loopback, localhost, RFC1918,...
Moderate
Unreviewed
CVE-2026-9818
was published
May 28, 2026
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
Moderate
CVE-2026-45066
was published
for
symfony/html-sanitizer
(Composer)
May 27, 2026
OpenClaw: Discord event cover images bypassed sandbox media normalization
Moderate
CVE-2026-43532
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events
Moderate
CVE-2026-43566
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Moderate
CVE-2026-41332
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Shell init-file options could satisfy exec allowlist script matching
Moderate
CVE-2026-41392
was published
for
openclaw
(npm)
Apr 7, 2026
Duplicate Advisory: OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Moderate
GHSA-wcm7-94wg-h74h
was published
for
openclaw
(npm)
Apr 24, 2026
•
withdrawn
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four...
Moderate
Unreviewed
CVE-2026-41361
was published
Apr 24, 2026
October CMS has Safe Mode Bypass via Twig Database Write Operations
Moderate
CVE-2026-26274
was published
for
october/october
(Composer)
Apr 21, 2026
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
Moderate
CVE-2026-26067
was published
for
october/system
(Composer)
Apr 21, 2026
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code
Moderate
CVE-2026-41206
was published
for
pyspector
(pip)
Apr 16, 2026
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module
Moderate
CVE-2026-25525
was published
for
openmage/magento-lts
(Composer)
Apr 21, 2026
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow
Moderate
CVE-2026-35410
was published
for
directus
(npm)
Apr 4, 2026
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
Moderate
GHSA-8h8f-7cxm-m38j
was published
for
openclaw
(npm)
Apr 2, 2026
•
withdrawn
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Moderate
CVE-2026-39315
was published
for
unhead
(npm)
Apr 9, 2026
OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
CVE-2026-34425
was published
for
openclaw
(npm)
Apr 6, 2026
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Moderate
GHSA-rf75-g96h-j3rm
was published
for
openclaw
(npm)
Apr 2, 2026
•
withdrawn
OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
Moderate
CVE-2026-32017
was published
for
openclaw
(npm)
Mar 3, 2026
In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
Moderate
CVE-2026-32010
was published
for
openclaw
(npm)
Mar 3, 2026
ProTip!
Advisories are also available from the
GraphQL API