Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

35 advisories

Loading
OpenClaw: Mattermost handlers could fall open when channel type was missing Moderate
GHSA-gp79-m99v-gjmh was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms High
CVE-2026-53712 was published for com.ongres.scram:scram-client (Maven) Jul 1, 2026
KEIJOT Credited to KEIJOT and jorsol jorsol jorsol
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails Moderate
CVE-2026-54762 was published for github.com/traefik/traefik/v3 (Go) Jun 19, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel
guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext Moderate
CVE-2026-55568 was published for guzzlehttp/guzzle (Composer) Jun 19, 2026
GrahamCampbell Credited to GrahamCampbell
OpenClaw: Empty-scope device re-pairing could confuse caller scope containment Low
CVE-2026-53852 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment Low
GHSA-hc4w-hm59-9w88 was published for openclaw (npm) Jun 16, 2026 withdrawn
MCP Registry: OCI validator skips ownership check on upstream rate limits Low
CVE-2026-45781 was published for github.com/modelcontextprotocol/registry (Go) May 19, 2026
rdimitrov Credited to rdimitrov
net-imap vulnerable to STARTTLS stripping via invalid response timing High
CVE-2026-42246 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes Critical
CVE-2026-40525 was published for openviking (pip) Apr 17, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions High
CVE-2026-40247 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install High
CVE-2026-35205 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Low
CVE-2026-41377 was published for openclaw (npm) Apr 2, 2026
davidluzsilva Credited to davidluzsilva
Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode Low
GHSA-vm29-7mq3-9jrg was published for OpenClaw (npm) Mar 31, 2026 withdrawn
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API