Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
48
Go
3,399
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,619
Pub
13
RubyGems
1,026
Rust
1,205
Swift
52
Unreviewed advisories
All unreviewed
5,000+

28,316 advisories

Loading
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Moderate
GHSA-9gp8-hjxr-6f34 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw runs Discord audio preflight transcription before member authorization Moderate
GHSA-hhff-fj5f-qg48 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Moderate
GHSA-mhr7-2xmv-4c4q was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Moderate
GHSA-p464-m8x6-vhv8 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration High
GHSA-57gh-m6rq-54cf was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact Moderate
GHSA-68v4-hmwv-f43h was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal High
GHSA-cwf8-44x6-32c2 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Workspace `.env` can override the bundled plugin trust root High
GHSA-qcj9-wwgw-6gm8 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
Electron: Context Isolation bypass via contextBridge VideoFrame transfer High
CVE-2026-34780 was published for electron (npm) Apr 3, 2026
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS Moderate
CVE-2026-34779 was published for electron (npm) Apr 3, 2026
Electron: Service worker can spoof executeJavaScript IPC replies Moderate
CVE-2026-34778 was published for electron (npm) Apr 3, 2026
Electron: Incorrect origin passed to permission request handler for iframe requests Moderate
CVE-2026-34777 was published for electron (npm) Apr 3, 2026
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux Moderate
CVE-2026-34776 was published for electron (npm) Apr 3, 2026
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes Moderate
CVE-2026-34775 was published for electron (npm) Apr 3, 2026
Electron: Use-after-free in offscreen child window paint callback High
CVE-2026-34774 was published for electron (npm) Apr 3, 2026
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows Moderate
CVE-2026-34773 was published for electron (npm) Apr 3, 2026
Electron: Use-after-free in download save dialog callback Moderate
CVE-2026-34772 was published for electron (npm) Apr 3, 2026
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks High
CVE-2026-34771 was published for electron (npm) Apr 3, 2026
Electron: Use-after-free in PowerMonitor on Windows and macOS High
CVE-2026-34770 was published for electron (npm) Apr 3, 2026
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference High
CVE-2026-34769 was published for electron (npm) Apr 3, 2026
Electron: Unquoted executable path in app.setLoginItemSettings on Windows Low
CVE-2026-34768 was published for electron (npm) Apr 3, 2026
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest Moderate
CVE-2026-34767 was published for electron (npm) Apr 3, 2026
Electron: USB device selection not validated against filtered device list Low
CVE-2026-34766 was published for electron (npm) Apr 3, 2026
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()` Low
GHSA-ccgf-5rwj-j3hv was published for telejson (npm) Apr 2, 2026
Niccolo10 Credited to Niccolo10
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Low
GHSA-cwq8-6f96-g3q4 was published for openclaw (npm) Apr 2, 2026
davidluzsilva Credited to davidluzsilva
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database