GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
37 advisories
Filter by severity
OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts
Moderate
GHSA-6c4r-g249-wv3c
was published
for
openclaw
(npm)
Jul 2, 2026
NodeVM observability builtins leak host process and HTTP request data
Moderate
CVE-2026-47141
was published
for
vm2
(npm)
May 29, 2026
vm2 Has a Sandbox Breakout Using Async Generator
Critical
CVE-2026-45411
was published
for
vm2
(npm)
May 14, 2026
vm2 has Sandbox Breakout Through Null Proto Exception
Critical
CVE-2026-44009
was published
for
vm2
(npm)
May 8, 2026
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
Critical
CVE-2026-44008
was published
for
vm2
(npm)
May 8, 2026
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
Moderate
CVE-2026-44000
was published
for
vm2
(npm)
May 7, 2026
Duplicate Advisory: OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
High
GHSA-5mh4-3rv3-fpcf
was published
for
openclaw
(npm)
Apr 28, 2026
•
withdrawn
OpenClaw: Shared reply MEDIA - paths are treated as trusted and can trigger cross-channel local file exfiltration
Moderate
CVE-2026-42424
was published
for
openclaw
(npm)
Apr 9, 2026
Electron: Named window.open targets not scoped to the opener's browsing context
Moderate
CVE-2026-34765
was published
for
electron
(npm)
Apr 7, 2026
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler
Moderate
CVE-2026-34217
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
High
CVE-2026-41369
was published
for
openclaw
(npm)
Apr 3, 2026
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
High
CVE-2026-34780
was published
for
electron
(npm)
Apr 3, 2026
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts
Moderate
CVE-2026-35658
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Gateway `agent` calls could override the workspace boundary
High
GHSA-2rqg-gjgv-84jm
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations
High
GHSA-3jx4-q2m7-r496
was published
for
openclaw
(npm)
Mar 4, 2026
Dark Reader gives users the ability to request style sheets from local web servers
Low
CVE-2025-68467
was published
for
darkreader
(npm)
Mar 4, 2026
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json
High
CVE-2026-25725
was published
for
@anthropic-ai/claude-code
(npm)
Feb 6, 2026
n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner
High
CVE-2025-61917
was published
for
n8n
(npm)
Feb 4, 2026
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
High
CVE-2026-25253
was published
for
clawdbot
(npm)
Feb 2, 2026
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)
Moderate
CVE-2026-24473
was published
for
hono
(npm)
Jan 27, 2026
n8n Information Disclosure vulnerability
High
CVE-2023-27564
was published
for
n8n
(npm)
May 10, 2023
ecdh vulnerable to Exposure of Resource to Wrong Sphere
High
CVE-2022-44310
was published
for
ecdh
(npm)
Feb 24, 2023
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
Low
CVE-2022-29247
was published
for
electron
(npm)
Jun 16, 2022
xdlocalstorage does not verify request origin
High
CVE-2020-11610
was published
for
xdlocalstorage
(npm)
May 24, 2022
Renderers can obtain access to random bluetooth device without permission in Electron
Low
CVE-2022-21718
was published
for
electron
(npm)
Mar 22, 2022
ProTip!
Advisories are also available from the
GraphQL API