Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

126 advisories

Loading
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification Moderate
CVE-2026-45066 was published for symfony/html-sanitizer (Composer) May 27, 2026
Flowise has an MCP Security Bypass that Enables RCE High
GHSA-m99r-2hxc-cp3q was published for flowise (npm) May 14, 2026
cn-panda Credited to cn-panda
OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's... High Unreviewed
CVE-2026-45006 was published May 11, 2026
OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action... Low Unreviewed
CVE-2026-44993 was published May 11, 2026
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist High
CVE-2026-42590 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
JohannesLks Credited to JohannesLks
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where... Critical Unreviewed
CVE-2026-43578 was published May 6, 2026
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell... High Unreviewed
CVE-2026-44115 was published May 6, 2026
Duplicate Advisory: OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
GHSA-xrgf-r9gr-jjjf was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv could override runtime-control environment variables High
GHSA-9r9j-3r2w-fg3v was published for openclaw (npm) May 6, 2026 withdrawn
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs High
CVE-2026-43929 was published for ssrfcheck (npm) May 5, 2026
hits313 Credited to hits313
OpenClaw: Workspace dotenv could override runtime-control environment variables High
CVE-2026-44114 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four... Moderate Unreviewed
CVE-2026-41361 was published Apr 24, 2026
Duplicate Advisory: OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override Moderate
GHSA-wcm7-94wg-h74h was published for openclaw (npm) Apr 24, 2026 withdrawn
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation... Critical Unreviewed
CVE-2026-34415 was published Apr 22, 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
October CMS has Safe Mode Bypass via Twig Database Write Operations Moderate
CVE-2026-26274 was published for october/october (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers Moderate
CVE-2026-26067 was published for october/system (Composer) Apr 21, 2026
Neosprings Credited to Neosprings and daftspunk daftspunk daftspunk
OpenMage LTS has a Path Traversal Filter Bypass in Dataflow Module Moderate
CVE-2026-25525 was published for openmage/magento-lts (Composer) Apr 21, 2026
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
CVE-2026-41265 was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw: Discord event cover images bypassed sandbox media normalization Moderate
CVE-2026-43532 was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Exec environment denylist missed high-risk interpreter startup variables High
CVE-2026-43584 was published for openclaw (npm) Apr 17, 2026
feiyang666 Credited to feiyang666
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
CVE-2026-43566 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code Moderate
CVE-2026-41206 was published for pyspector (pip) Apr 16, 2026
fg0x0 Credited to fg0x0
Kimai leaks API Token Hash via Invoice Twig Template Low
GHSA-rh42-6rj2-xwmc was published for kimai/kimai (Composer) Apr 14, 2026
hett-patell Credited to hett-patell
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf Critical
CVE-2026-34177 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database