Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

76 advisories

Loading
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority High
CVE-2026-53814 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
Keycloak has privilege escalation via improper scope mapping enforcement High
CVE-2026-9795 was published for org.keycloak:keycloak-services (Maven) Jul 1, 2026
OpenClaw: Active Memory write scope could mutate global config Moderate
CVE-2026-53847 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable High
GHSA-6jcq-6546-qrrw was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes Low
GHSA-h9h6-pwqv-j9hv was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Active Memory write scope could mutate global config Moderate
GHSA-58wc-8wrv-xp9j was published for openclaw (npm) Jun 16, 2026 withdrawn
Dolibarr ERP CRM is vulnerable to Improper Authorization through its Leave Request REST API Low
CVE-2026-10215 was published for dolibarr/dolibarr (Composer) Jun 1, 2026
OpenStack Keystone has an Incorrect Authorization issue Moderate
CVE-2026-43000 was published for keystone (pip) May 28, 2026
Duplicate Advisory: Keycloak has privilege escalation via improper scope mapping enforcement High
GHSA-8hcx-p7m8-gc28 was published for org.keycloak:keycloak-services (Maven) May 28, 2026 withdrawn
phpMyFAQ: IDOR Account Takeover High
CVE-2026-35671 was published for phpmyfaq/phpmyfaq (Composer) May 20, 2026
cyberHunter127 Credited to cyberHunter127
Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints Low
GHSA-w626-296m-8f85 was published for openclaw (npm) May 11, 2026 withdrawn
Wooey has an Incorrect Privilege Assignment issue Low
CVE-2026-7142 was published for wooey (pip) Apr 27, 2026
Memos has an Incorrect Privilege Assignment issue Low
CVE-2026-6634 was published for github.com/usememos/memos (Go) Apr 20, 2026
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools High
CVE-2026-42433 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence Moderate
GHSA-f3h5-h452-vp3j was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands Moderate
CVE-2026-43568 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context Moderate
CVE-2026-43535 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Silverstripe Assets Module has a DBFile::getURL() permission bypass Moderate
CVE-2026-24749 was published for silverstripe/assets (Composer) Apr 16, 2026
Decidim amendments can be accepted or rejected by anyone High
CVE-2026-40869 was published for decidim-core (RubyGems) Apr 14, 2026
Duplicate Advisory: OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
GHSA-phgf-3849-rgjq was published for openclaw (npm) Mar 31, 2026 withdrawn
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` Moderate
CVE-2026-35645 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
zpbrent Credited to zpbrent
Keycloak: manage-clients permission escalates to full realm admin access Moderate
CVE-2026-3121 was published for org.keycloak:keycloak-services (Maven) Mar 26, 2026
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt High
GHSA-7ff8-xjh3-mgh6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API