Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

37 advisories

Loading
OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts Moderate
GHSA-6c4r-g249-wv3c was published for openclaw (npm) Jul 2, 2026
anshumanbh Credited to anshumanbh
NodeVM observability builtins leak host process and HTTP request data Moderate
CVE-2026-47141 was published for vm2 (npm) May 29, 2026
spbavarva Credited to spbavarva
vm2 Has a Sandbox Breakout Using Async Generator Critical
CVE-2026-45411 was published for vm2 (npm) May 14, 2026
XmiliaH Credited to XmiliaH
vm2 has Sandbox Breakout Through Null Proto Exception Critical
CVE-2026-44009 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch` Critical
CVE-2026-44008 was published for vm2 (npm) May 8, 2026
XmiliaH Credited to XmiliaH
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary Moderate
CVE-2026-44000 was published for vm2 (npm) May 7, 2026
fasrm Credited to fasrm
threalwinky Credited to threalwinky
Electron: Named window.open targets not scoped to the opener's browsing context Moderate
CVE-2026-34765 was published for electron (npm) Apr 7, 2026
HO-9 Credited to HO-9 and HanJeouk HanJeouk HanJeouk
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler Moderate
CVE-2026-34217 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
chawdamrunal Credited to chawdamrunal
tdjackey Credited to tdjackey
Electron: Context Isolation bypass via contextBridge VideoFrame transfer High
CVE-2026-34780 was published for electron (npm) Apr 3, 2026
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts Moderate
CVE-2026-35658 was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Gateway `agent` calls could override the workspace boundary High
GHSA-2rqg-gjgv-84jm was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations High
GHSA-3jx4-q2m7-r496 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
Dark Reader gives users the ability to request style sheets from local web servers Low
CVE-2025-68467 was published for darkreader (npm) Mar 4, 2026
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json High
CVE-2026-25725 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner High
CVE-2025-61917 was published for n8n (npm) Feb 4, 2026
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl High
CVE-2026-25253 was published for clawdbot (npm) Feb 2, 2026
DepthFirstDisclosures Credited to DepthFirstDisclosures, 0xacb, and mavlevin 0xacb 0xacb
mavlevin mavlevin
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat Credited to kilkat and JungJoonWoo JungJoonWoo JungJoonWoo
n8n Information Disclosure vulnerability High
CVE-2023-27564 was published for n8n (npm) May 10, 2023
MarkLee131 Credited to MarkLee131
ecdh vulnerable to Exposure of Resource to Wrong Sphere High
CVE-2022-44310 was published for ecdh (npm) Feb 24, 2023
TheGrandPew Credited to TheGrandPew and msrkp msrkp msrkp
xdlocalstorage does not verify request origin High
CVE-2020-11610 was published for xdlocalstorage (npm) May 24, 2022
Renderers can obtain access to random bluetooth device without permission in Electron Low
CVE-2022-21718 was published for electron (npm) Mar 22, 2022
PalmerAL Credited to PalmerAL
ProTip! Advisories are also available from the GraphQL API