Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,619
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

28,316 advisories

Loading
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials Moderate
GHSA-9f4w-67g7-mqwv was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled Moderate
GHSA-3xv9-89fm-7h4r was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Moderate
GHSA-rvvf-6vh3-9j43 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration High
GHSA-q9w8-cf67-r238 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts Moderate
GHSA-f693-58pc-2gfr was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config Low
GHSA-3pm9-5j7m-59vc was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing High
GHSA-gg9v-mgcp-v6m7 was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection High
GHSA-h5hg-h7rr-gpf3 was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Discord voice manager bypasses channel-level member access allowlist Moderate
GHSA-cqgw-44wg-44rf was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders Moderate
GHSA-m6fx-m8hc-572m was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch High
GHSA-gjm7-hw8f-73rq was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
GHSA-9p3r-hh9g-5cmg was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
GHSA-2w79-r9g8-wmcr was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation Low
GHSA-rfqg-qgf8-xr9x was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting Moderate
GHSA-6p8r-6m93-557f was published for openclaw (npm) Apr 3, 2026
kexinoh Credited to kexinoh
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables Moderate
GHSA-cg7q-fg22-4g98 was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read Moderate
GHSA-58q2-7r52-jq62 was published for openclaw (npm) Apr 3, 2026
north-echo Credited to north-echo
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode High
GHSA-g374-mggx-p6xc was published for openclaw (npm) Apr 3, 2026
north-echo Credited to north-echo
OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read High
GHSA-f6pf-4gjx-c94r was published for openclaw (npm) Apr 3, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch` High
GHSA-v3qc-wrwx-j3pw was published for openclaw (npm) Apr 3, 2026
YLChen-007 Credited to YLChen-007
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability Moderate
GHSA-hr8g-2q7x-3f4w was published for openclaw (npm) Apr 3, 2026
topsec-bunney Credited to topsec-bunney
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS Moderate
GHSA-w85g-3h6x-4xh2 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides High
GHSA-g8xp-qx39-9jq9 was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md High
GHSA-xj9w-5r6q-x6v4 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Low
GHSA-37v6-fxx8-xjmx was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database