Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

376 advisories

Loading
Electron: Crash in clipboard.readImage() on malformed clipboard image data Low
CVE-2026-34781 was published for electron (npm) Apr 7, 2026
frostb1ten Credited to frostb1ten
@elgentos/magento2-dev-mcp vulnerable to command injection Low
CVE-2026-5603 was published for @elgentos/magento2-dev-mcp (npm) Apr 6, 2026
@nor2/heim-mcp vulnerable to command injection Low
CVE-2026-5602 was published for @nor2/heim-mcp (npm) Apr 6, 2026
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Electron: Use-after-free in offscreen shared texture release() callback Low
CVE-2026-34764 was published for electron (npm) Apr 3, 2026
daffainfo Credited to daffainfo
Signal K Server: Arbitrary Prototype Read via `from` Field Bypass Low
CVE-2026-35038 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps Low
CVE-2026-41382 was published for openclaw (npm) Apr 3, 2026
cyjhhh Credited to cyjhhh
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config Low
CVE-2026-41388 was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation Low
GHSA-rfqg-qgf8-xr9x was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Low
GHSA-37v6-fxx8-xjmx was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Electron: Unquoted executable path in app.setLoginItemSettings on Windows Low
CVE-2026-34768 was published for electron (npm) Apr 3, 2026
Electron: USB device selection not validated against filtered device list Low
CVE-2026-34766 was published for electron (npm) Apr 3, 2026
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` Low
GHSA-ccgf-5rwj-j3hv was published for telejson (npm) Apr 2, 2026
Niccolo10 Credited to Niccolo10
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Low
CVE-2026-41377 was published for openclaw (npm) Apr 2, 2026
davidluzsilva Credited to davidluzsilva
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API Low
GHSA-chfm-xgc4-47rj was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Matrix thread root and reply context bypass sender allowlist Low
CVE-2026-41376 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass Low
CVE-2026-41402 was published for openclaw (npm) Apr 2, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection Low
GHSA-89r3-6x4j-v7wf was published for openclaw (npm) Apr 2, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
fast-filesystem-mcp is vulnerable to command injection through handleGetDiskUsage function Low
CVE-2026-5327 was published for fast-filesystem-mcp (npm) Apr 2, 2026
a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function Low
CVE-2026-5323 was published for a11y-mcp (npm) Apr 2, 2026
OpenClaw affected by SSRF via unguarded image download in fal provider Low
CVE-2026-34504 was published for openclaw (npm) Apr 1, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw SSRF guard misses four IPv6 special-use ranges Low
GHSA-g86v-f9qv-rh6m was published for openclaw (npm) Mar 31, 2026
nicky-cc Credited to nicky-cc
Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty Low
GHSA-xg59-f45v-9r9j was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode Low
GHSA-vm29-7mq3-9jrg was published for OpenClaw (npm) Mar 31, 2026 withdrawn
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
CVE-2026-35617 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database