Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,416
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,494 advisories

Loading
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags High
GHSA-qmwh-9m9c-h36m was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
kodareef5 Credited to kodareef5
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature High
CVE-2026-35458 was published for github.com/gotenberg/gotenberg/v8 (Go) Apr 7, 2026
beryxz Credited to beryxz and drw0if drw0if drw0if
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// Moderate
GHSA-83f3-hh45-vfw9 was published for openclaw (npm) Apr 7, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Shared-secret comparison call sites leaked length information through timing Moderate
GHSA-jj6q-rrrf-h66h was published for openclaw (npm) Apr 7, 2026
kexinoh Credited to kexinoh
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders Moderate
GHSA-rxmx-g7hr-8mx4 was published for openclaw (npm) Apr 7, 2026
D0ub1e-D Credited to D0ub1e-D
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections Moderate
GHSA-fh32-73r9-rgh5 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: pnpm dlx approvals did not bind local script operands Moderate
GHSA-w6wx-jq6j-6mcj was published for openclaw (npm) Apr 7, 2026
Kazamayc Credited to Kazamayc
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding Moderate
GHSA-98ch-45wp-ch47 was published for openclaw (npm) Apr 7, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients Moderate
GHSA-2f7j-rp58-mr42 was published for openclaw (npm) Apr 7, 2026
topsec-bunney Credited to topsec-bunney
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup Moderate
GHSA-2qrv-rc5x-2g2h was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill Moderate
GHSA-5hff-46vh-rxmw was published for openclaw (npm) Apr 7, 2026
EaEa0001 Credited to EaEa0001
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch Moderate
GHSA-4p4f-fc8q-84m3 was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin
OpenClaw: QQ Bot structured payloads could read arbitrary local files Moderate
GHSA-846p-hgpv-vphc was published for openclaw (npm) Apr 7, 2026
feiyang666 Credited to feiyang666
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped Moderate
GHSA-m34q-h93w-vg5x was published for openclaw (npm) Apr 7, 2026
jufeng123768 Credited to jufeng123768
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets Low
GHSA-fqrj-m88p-qf3v was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account Moderate
GHSA-wwfp-w96m-c6x8 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Forged Nostr DMs could create pairing state before signature verification Moderate
GHSA-h43v-27wg-5mf9 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Shell init-file options could satisfy exec allowlist script matching Moderate
GHSA-wpc6-37g7-8q4w was published for openclaw (npm) Apr 7, 2026
cyjhhh Credited to cyjhhh
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup Moderate
GHSA-42mx-vp8m-j7qh was published for openclaw (npm) Apr 7, 2026
tdjackey Credited to tdjackey
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send Low
GHSA-767m-xrhc-fxm7 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations Moderate
GHSA-fwjq-xwfj-gv75 was published for openclaw (npm) Apr 7, 2026
tdjackey Credited to tdjackey
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send Moderate
GHSA-3q42-xmxv-9vfr was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config High
GHSA-vfw7-6rhc-6xxg was published for openclaw (npm) Apr 7, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection Moderate
GHSA-vjx8-8p7h-82gr was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk Moderate
GHSA-4g5x-2jfc-xm98 was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database