GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,273
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,489
Swift
61
Unreviewed advisories
All unreviewed
5,000+
76 advisories
Filter by severity
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
High
CVE-2026-53814
was published
for
openclaw
(npm)
Jul 2, 2026
Keycloak has privilege escalation via improper scope mapping enforcement
High
CVE-2026-9795
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 1, 2026
OpenClaw: Active Memory write scope could mutate global config
Moderate
CVE-2026-53847
was published
for
openclaw
(npm)
Jun 18, 2026
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable
High
GHSA-6jcq-6546-qrrw
was published
for
praisonai
(pip)
Jun 18, 2026
Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes
Low
GHSA-h9h6-pwqv-j9hv
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Active Memory write scope could mutate global config
Moderate
GHSA-58wc-8wrv-xp9j
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API
Low
CVE-2026-10215
was published
for
dolibarr/dolibarr
(Composer)
Jun 1, 2026
OpenStack Keystone has an Incorrect Authorization issue
Moderate
CVE-2026-43000
was published
for
keystone
(pip)
May 28, 2026
Duplicate Advisory: Keycloak has privilege escalation via improper scope mapping enforcement
High
GHSA-8hcx-p7m8-gc28
was published
for
org.keycloak:keycloak-services
(Maven)
May 28, 2026
•
withdrawn
phpMyFAQ: IDOR Account Takeover
High
CVE-2026-35671
was published
for
phpmyfaq/phpmyfaq
(Composer)
May 20, 2026
Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints
Low
GHSA-w626-296m-8f85
was published
for
openclaw
(npm)
May 11, 2026
•
withdrawn
Wooey has an Incorrect Privilege Assignment issue
Low
CVE-2026-7142
was published
for
wooey
(pip)
Apr 27, 2026
Memos has an Incorrect Privilege Assignment issue
Low
CVE-2026-6634
was published
for
github.com/usememos/memos
(Go)
Apr 20, 2026
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
High
CVE-2026-42433
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
Moderate
GHSA-f3h5-h452-vp3j
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
Moderate
CVE-2026-43568
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context
Moderate
CVE-2026-43535
was published
for
openclaw
(npm)
Apr 17, 2026
Silverstripe Assets Module has a DBFile::getURL() permission bypass
Moderate
CVE-2026-24749
was published
for
silverstripe/assets
(Composer)
Apr 16, 2026
Decidim amendments can be accepted or rejected by anyone
High
CVE-2026-40869
was published
for
decidim-core
(RubyGems)
Apr 14, 2026
Duplicate Advisory: OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Critical
GHSA-phgf-3849-rgjq
was published
for
openclaw
(npm)
Mar 31, 2026
•
withdrawn
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
Moderate
CVE-2026-35645
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers
High
CVE-2026-35669
was published
for
openclaw
(npm)
Mar 27, 2026
Keycloak: manage-clients permission escalates to full realm admin access
Moderate
CVE-2026-3121
was published
for
org.keycloak:keycloak-services
(Maven)
Mar 26, 2026
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt
High
GHSA-7ff8-xjh3-mgh6
was published
for
openclaw
(npm)
Mar 3, 2026
Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes
Moderate
CVE-2026-0871
was published
for
org.keycloak:keycloak-server-spi-private
(Maven)
Feb 27, 2026
ProTip!
Advisories are also available from the
GraphQL API