Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

330,408 advisories

Loading
The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized... Moderate Unreviewed
CVE-2026-3208 was published May 6, 2026
The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing... Moderate Unreviewed
CVE-2026-5753 was published May 6, 2026
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized... Moderate Unreviewed
CVE-2026-2306 was published May 6, 2026
In IMS, there is a possible system crash due to improper input validation. This could lead to... High Unreviewed
CVE-2025-71251 was published May 6, 2026
In Modem IMS, there is a possible improper input validation. This could lead to remote denial of... High Unreviewed
CVE-2025-71252 was published May 6, 2026
An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor... Moderate Unreviewed
CVE-2026-7573 was published May 6, 2026
In Modem IMS, there is a possible improper input validation. This could lead to remote denial of... High Unreviewed
CVE-2025-71254 was published May 6, 2026
In Modem IMS, there is a possible improper input validation. This could lead to remote denial of... High Unreviewed
CVE-2025-71255 was published May 6, 2026
In Modem IMS, there is a possible improper input validation. This could lead to remote denial of... High Unreviewed
CVE-2025-71253 was published May 6, 2026
In nr modem, there is a possible improper input validation. This could lead to remote denial of... High Unreviewed
CVE-2025-71256 was published May 6, 2026
An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in... Moderate Unreviewed
CVE-2026-7572 was published May 6, 2026
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks Moderate
CVE-2026-42420 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable Moderate
CVE-2026-42430 was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification Moderate
CVE-2026-42428 was published for openclaw (npm) Apr 9, 2026
kexinoh Credited to kexinoh
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval Moderate
CVE-2026-42426 was published for openclaw (npm) Apr 9, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths Low
CVE-2026-41913 was published for openclaw (npm) Apr 9, 2026
Telecaster2147 Credited to Telecaster2147
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes Moderate
CVE-2026-41910 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing Moderate
CVE-2026-42422 was published for openclaw (npm) Apr 9, 2026
nicky-cc Credited to nicky-cc
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard Moderate
CVE-2026-42431 was published for openclaw (npm) Apr 9, 2026
nicky-cc Credited to nicky-cc
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) Low
CVE-2026-41915 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts Moderate
CVE-2026-42423 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Shared-secret comparison call sites leaked length information through timing Moderate
CVE-2026-41407 was published for openclaw (npm) Apr 7, 2026
kexinoh Credited to kexinoh
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
CVE-2026-41400 was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion High
CVE-2026-41405 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Workspace `.env` can override the bundled plugin trust root High
CVE-2026-41396 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database