GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
35 advisories
Filter by severity
OpenClaw: Mattermost handlers could fall open when channel type was missing
Moderate
GHSA-gp79-m99v-gjmh
was published
for
openclaw
(npm)
Jul 2, 2026
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
High
CVE-2026-53712
was published
for
com.ongres.scram:scram-client
(Maven)
Jul 1, 2026
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
Moderate
CVE-2026-54762
was published
for
github.com/traefik/traefik/v3
(Go)
Jun 19, 2026
guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
Moderate
CVE-2026-55568
was published
for
guzzlehttp/guzzle
(Composer)
Jun 19, 2026
OpenClaw: Empty-scope device re-pairing could confuse caller scope containment
Low
CVE-2026-53852
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment
Low
GHSA-hc4w-hm59-9w88
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event...
Moderate
Unreviewed
CVE-2026-53837
was published
Jun 13, 2026
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle...
Low
Unreviewed
CVE-2026-49318
was published
May 29, 2026
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle...
Low
Unreviewed
CVE-2026-49317
was published
May 29, 2026
MCP Registry: OCI validator skips ownership check on upstream rate limits
Low
CVE-2026-45781
was published
for
github.com/modelcontextprotocol/registry
(Go)
May 19, 2026
net-imap vulnerable to STARTTLS stripping via invalid response timing
High
CVE-2026-42246
was published
for
net-imap
(RubyGems)
May 4, 2026
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that...
High
Unreviewed
CVE-2026-41334
was published
Apr 24, 2026
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes
Critical
CVE-2026-40525
was published
for
openviking
(pip)
Apr 17, 2026
free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors
Moderate
CVE-2026-40249
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions
High
CVE-2026-40248
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions
High
CVE-2026-40247
was published
for
github.com/free5gc/udr
(Go)
Apr 14, 2026
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
High
CVE-2026-35205
was published
for
helm.sh/helm/v4
(Go)
Apr 10, 2026
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
Moderate
CVE-2026-42423
was published
for
openclaw
(npm)
Apr 9, 2026
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)
High
CVE-2026-35042
was published
for
fast-jwt
(npm)
Apr 3, 2026
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)
Low
CVE-2026-41377
was published
for
openclaw
(npm)
Apr 2, 2026
Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode
Low
GHSA-vm29-7mq3-9jrg
was published
for
OpenClaw
(npm)
Mar 31, 2026
•
withdrawn
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback
Low
CVE-2026-27448
was published
for
pyopenssl
(pip)
Mar 16, 2026
OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode
Low
CVE-2026-32970
was published
for
openclaw
(npm)
Mar 13, 2026
An administrator may attempt to block all traffic by configuring a pass filter with an empty...
Moderate
Unreviewed
CVE-2025-41760
was published
Mar 9, 2026
An administrator may attempt to block all networks by specifying "\*" or "all" as the network...
Moderate
Unreviewed
CVE-2025-41759
was published
Mar 9, 2026
ProTip!
Advisories are also available from the
GraphQL API