Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

24 advisories

Loading
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header High
CVE-2026-55501 was published for 9router (npm) Jul 6, 2026
dinhvaren Credited to dinhvaren
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
OpenClaw: Matrix allowFrom could bind to mutable display names High
CVE-2026-53811 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Slack allowFrom could bind to mutable display names High
GHSA-c29c-2q9c-pc86 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Control UI locality spoofing could mint a durable admin device token High
CVE-2026-53817 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers High
GHSA-rggc-m335-3wvj was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Discord allowFrom could bind to mutable display names High
CVE-2026-53849 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Zalo allowFrom could bind to mutable display names High
CVE-2026-53857 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
Duplicate Advisory: Zalo allowFrom could bind to mutable display names High
GHSA-w7m7-3xcf-mp48 was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Discord allowFrom could bind to mutable display names High
GHSA-p44v-rx83-vjp4 was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
GHSA-35vf-vw9f-q3cr was published for openclaw (npm) May 6, 2026 withdrawn
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
CVE-2026-44118 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
zpbrent Credited to zpbrent
Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes High
GHSA-qwmf-95r9-gx9x was published for openclaw (npm) Mar 21, 2026 withdrawn
h3 has a middleware bypass with one gadget High
CVE-2026-33131 was published for h3 (npm) Mar 18, 2026
hibwyli Credited to hibwyli
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy High
CVE-2026-32014 was published for openclaw (npm) Mar 3, 2026
76embiid21 Credited to 76embiid21
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling High
CVE-2025-46573 was published for passport-wsfed-saml2 (npm) May 6, 2025
kevinroh-okta Credited to kevinroh-okta
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token High
CVE-2017-16897 was published for passport-wsfed-saml2 (npm) Jun 21, 2023
Parse Server option `masterKeyIps` vulnerability to IP spoofing High
CVE-2023-22474 was published for parse-server (npm) Jan 31, 2023
dblythy Credited to dblythy
Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding High
CVE-2018-7160 was published for node-inspector (npm) May 13, 2022 withdrawn
Authentication Bypass by Spoofing in express-cart High
CVE-2018-16483 was published for express-cart (npm) Feb 7, 2019
Duplicate advisory: High severity vulnerability that affects passport-wsfed-saml2 High
GHSA-7fpw-cfc4-3p2c was published for passport-wsfed-saml2 (npm) Dec 28, 2017 withdrawn
ProTip! Advisories are also available from the GraphQL API