Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

4,565 advisories

Loading
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME... High Unreviewed
CVE-2026-32056 was published Mar 21, 2026
Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow Critical
GHSA-f67f-hcr6-94mf was published for SHAdd0WTAka/Zen-Ai-Pentest (GitHub Actions) Mar 20, 2026
nekros1xx Credited to nekros1xx
AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand() High
CVE-2026-33482 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection Critical
CVE-2026-33478 was published for avideo/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers... High Unreviewed
CVE-2026-22897 was published Mar 20, 2026
A command injection vulnerability has been reported to affect QuNetSwitch. If a local attacker... Moderate Unreviewed
CVE-2026-22902 was published Mar 20, 2026
A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker... Moderate Unreviewed
CVE-2026-22901 was published Mar 20, 2026
Improper neutralization of special elements used in an os command ('os command injection') in... Critical Unreviewed
CVE-2026-32191 was published Mar 19, 2026
Intake has a Command Injection via shell() Expansion in Parameter Defaults High
CVE-2026-33310 was published for intake (pip) Mar 19, 2026
redyank Credited to redyank
AVideo has an OS Command Injection via Unescaped URL in LinkedIn Video Upload Shell Command Moderate
CVE-2026-33319 was published for wwbn/avideo (Composer) Mar 19, 2026
restriction Credited to restriction
Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation Moderate
GHSA-82gw-wqw6-r2cf was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: ACPX Windows wrapper shell fallback allowed cwd injection in specific paths Moderate
GHSA-h36m-2vh5-x699 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains High
GHSA-3846-mfvc-xwpf was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution Moderate
GHSA-xrgv-34cc-q765 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution High
GHSA-pfv5-rpcw-x34x was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Moderate
GHSA-5rp4-cwgh-gvwq was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling Moderate
GHSA-5gqg-mqh5-2v39 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path Moderate
GHSA-8px5-2gfr-7ph6 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-ggm6-h3mx-cmmp was published for openclaw (npm) Mar 19, 2026 withdrawn
The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua'... High Unreviewed
CVE-2026-32298 was published Mar 17, 2026
Perle IOLAN STS/SCS terminal server models with firmware versions prior to 6.0 allow... High Unreviewed
CVE-2026-23759 was published Mar 17, 2026
OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection High
GHSA-g2f6-pwvx-r275 was published for openclaw (npm) Mar 16, 2026
lintsinghua Credited to lintsinghua
A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function... Moderate Unreviewed
CVE-2026-4253 was published Mar 16, 2026
Glances has a Command Injection via Process Names in Action Command Templates High
CVE-2026-32608 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL... High Unreviewed
CVE-2026-3227 was published Mar 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database