Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

126 advisories

Loading
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition Moderate
CVE-2026-35355 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Moderate
CVE-2026-35360 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition Moderate
CVE-2026-35356 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition High
CVE-2026-35352 was published for coreutils (Rust) Apr 22, 2026
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured Moderate
CVE-2026-22751 was published for org.springframework.security:spring-security-core (Maven) Apr 21, 2026
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Moderate
CVE-2026-3590 was published for github.com/mattermost/mattermost-server (Go) Apr 17, 2026
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
CVE-2026-41272 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
OpenClaw: TOCTOU read in exec script preflight Low
CVE-2026-43529 was published for openclaw (npm) Apr 16, 2026
kikayli Credited to kikayli
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
CVE-2026-41296 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses Moderate
GHSA-rm5c-4rmf-vvhw was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
ONNX: TOCTOU arbitrary file read/write in save_external_dat High
GHSA-q56x-g2fj-4rj6 was published for onnx (pip) Apr 1, 2026
tsigouris007 Credited to tsigouris007 and kpatsakis kpatsakis kpatsakis
Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape Moderate
CVE-2026-34452 was published for anthropic (pip) Apr 1, 2026
Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path Moderate
GHSA-xxj4-96ph-g6j6 was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution Moderate
GHSA-wwrj-437c-ppq4 was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path Moderate
GHSA-6q2v-vfwp-pvwh was published for openclaw (npm) Mar 29, 2026 withdrawn
Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
GHSA-wmgj-hrx3-23gj was published for openclaw (npm) Mar 29, 2026 withdrawn
Parse Server has an MFA single-use token bypass via concurrent authData login requests Low
CVE-2026-34224 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Handlebars.js has a Property Access Validation Bypass in container.lookup Low
GHSA-442j-39wm-28r2 was published for handlebars (npm) Mar 29, 2026
TinkAnet Credited to TinkAnet
OpenClaw may have stale policy enforcement for queued node actions Low
CVE-2026-35648 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
Parse Server: MFA recovery code single-use bypass via concurrent requests Low
CVE-2026-33624 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza and spbavarva spbavarva spbavarva
Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host Moderate
GHSA-3p2x-hjxj-c7rv was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind Moderate
GHSA-q86m-697p-h7fh was published for openclaw (npm) Mar 19, 2026 withdrawn
Parse Server has a password reset token single-use bypass via concurrent requests Low
CVE-2026-32943 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
CVE-2026-32979 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database