Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

96 advisories

Loading
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system... Moderate Unreviewed
CVE-2026-32065 was published Mar 21, 2026
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run... Moderate Unreviewed
CVE-2026-32052 was published Mar 21, 2026
Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk High
GHSA-q382-vc8q-7jhj was published for github.com/modelcontextprotocol/go-sdk (Go) Mar 19, 2026
anaximand3r Credited to anaximand3r
astral-tokio-tar insufficiently validates PAX extensions during extraction Low
CVE-2026-32766 was published for astral-tokio-tar (Rust) Mar 17, 2026
woodruffw Credited to woodruffw and xokdvium xokdvium xokdvium
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv High
GHSA-rw39-5899-8mxp was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run allow-always persistence included shell-commented payload tails Moderate
GHSA-9q2p-vc84-2rwm was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating Moderate
GHSA-r6qf-8968-wj9q was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the... High Unreviewed
CVE-2026-27444 was published Mar 4, 2026
OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation Moderate
GHSA-796m-2973-wc5q was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text High
GHSA-6rcp-vxwf-3mfp was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed High
GHSA-hwpq-rrpf-pgcq was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists Moderate
GHSA-392f-ggf5-fp3c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity High
CVE-2026-27896 was published for github.com/modelcontextprotocol/go-sdk (Go) Feb 26, 2026
anaximand3r Credited to anaximand3r
Fickling: OBJ opcode call invisibility bypasses all safety checks High
GHSA-mxhj-88fx-4pcv was published for fickling (pip) Feb 24, 2026
yash2998chhabria Credited to yash2998chhabria
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18... High Unreviewed
CVE-2026-0958 was published Feb 11, 2026
Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated... Low Unreviewed
CVE-2026-23686 was published Feb 10, 2026
Fastify's Content-Type header tab character allows body validation bypass High
CVE-2026-25223 was published for fastify (npm) Feb 2, 2026
jsumners Credited to jsumners
Path Normalization Bypass in Traefik Router + Middleware Rules Moderate
CVE-2025-66490 was published for github.com/traefik/traefik (Go) Dec 8, 2025
ShadoooooW Credited to ShadoooooW
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization High
CVE-2025-12816 was published for node-forge (npm) Nov 26, 2025
wodzen Credited to wodzen and sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict High
GHSA-jj37-3377-m6vv was published for nodemailer (npm) Nov 14, 2025 withdrawn
uv allows ZIP payload obfuscation through parsing differentials Moderate
GHSA-pqhf-p39g-3x64 was published for uv (pip) Oct 29, 2025
calebbrown Credited to calebbrown, woodruffw, and zanieb woodruffw woodruffw
zanieb zanieb
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict Moderate
CVE-2025-13033 was published for nodemailer (npm) Oct 7, 2025
xclow3n Credited to xclow3n
uv allows ZIP payload obfuscation through parsing differentials Moderate
CVE-2025-54368 was published for uv (pip) Aug 7, 2025
charliermarsh Credited to charliermarsh, zanieb, woodruffw, thatch, and calebbrown zanieb zanieb
woodruffw woodruffw thatch thatch calebbrown calebbrown
RatPanel can perform remote command execution without authorization High
CVE-2025-53534 was published for github.com/tnborg/panel (Go) Aug 4, 2025
LTLTLXEY Credited to LTLTLXEY and devhaozi devhaozi devhaozi
Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential) Critical
CVE-2025-25292 was published for ruby-saml (RubyGems) Mar 12, 2025
p- Credited to p-
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database