Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,489
Maven
5,000+
npm
5,000+
NuGet
892
pip
4,745
Pub
13
RubyGems
1,033
Rust
1,228
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,723 advisories

Loading
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation Moderate
GHSA-8f9r-gr6r-x63q was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure Moderate
GHSA-hm63-vwj4-mj2q was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve High
GHSA-r3v5-2grc-429h was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) Moderate
GHSA-8j7f-g9gv-7jhc was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication Moderate
GHSA-9gvx-vj57-vqqx was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision Moderate
GHSA-g8mc-c5f2-mqg7 was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants High
GHSA-j56c-wpqm-h24x was published for openclaw (npm) Apr 10, 2026 withdrawn
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) Low
GHSA-cm8v-2vh9-cxf3 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() Moderate
CVE-2026-39315 was published for unhead (npm) Apr 9, 2026
cybe4sent1nel Credited to cybe4sent1nel
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks Moderate
GHSA-ccx3-fw7q-rr2r was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification Moderate
GHSA-3vvq-q2qc-7rmp was published for openclaw (npm) Apr 9, 2026
kexinoh Credited to kexinoh
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects High
CVE-2026-40037 was published for openclaw (npm) Apr 9, 2026
BG0ECV Credited to BG0ECV
OpenClaw Host-Exec Environment Variable Injection Moderate
GHSA-w9j9-w4cp-6wgr was published for openclaw (npm) Apr 9, 2026
wsparks-vc Credited to wsparks-vc
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable Moderate
GHSA-w8g9-x8gx-crmm was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` Low
GHSA-4f8g-77mw-3rxc was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation Moderate
GHSA-vr5g-mmx7-h897 was published for openclaw (npm) Apr 9, 2026
ccreater222 Credited to ccreater222 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval Moderate
GHSA-67mf-f936-ppxf was published for openclaw (npm) Apr 9, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix) Low
GHSA-5fc7-f62m-8983 was published for openclaw (npm) Apr 9, 2026
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths Moderate
GHSA-3fv3-6p2v-gxwj was published for openclaw (npm) Apr 9, 2026
adithyan-ak Credited to adithyan-ak
OpenClaw: Existing WS sessions survive shared gateway token rotation Moderate
GHSA-5h3f-885m-v22w was published for openclaw (npm) Apr 9, 2026
kexinoh Credited to kexinoh
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths Low
GHSA-25wv-8phj-8p7r was published for openclaw (npm) Apr 9, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement High
GHSA-5wj5-87vq-39xm was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes Moderate
GHSA-vc32-h5mq-453v was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: resolvedAuth closure becomes stale after config reload Moderate
GHSA-68x5-xx89-w9mm was published for openclaw (npm) Apr 9, 2026
kexinoh Credited to kexinoh
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard Moderate
GHSA-cmfr-9m2r-xwhq was published for openclaw (npm) Apr 9, 2026
nicky-cc Credited to nicky-cc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database