Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

232 advisories

Loading
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
OpenStack Keystone: Restricted application credentials can create EC2 credentials Low
CVE-2026-33551 was published for keystone (pip) Apr 10, 2026
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` Low
CVE-2026-42429 was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
An issue that allowed MCP agents to access certificate information from outside of their... Low Unreviewed
CVE-2026-5379 was published Apr 7, 2026
An issue that could expose records outside of the authorized organization scope through the MCP... Low Unreviewed
CVE-2026-5382 was published Apr 7, 2026
An issue that could expose task information outside of the authorized organization scope has been... Low Unreviewed
CVE-2026-5381 was published Apr 7, 2026
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Low
CVE-2026-41341 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Low
CVE-2026-41348 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API Low
CVE-2026-41365 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Matrix thread root and reply context bypass sender allowlist Low
CVE-2026-41376 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams... Low Unreviewed
CVE-2026-34509 was published Mar 31, 2026
Duplicate Advisory: OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty Low
GHSA-xg59-f45v-9r9j was published for openclaw (npm) Mar 31, 2026 withdrawn
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
CVE-2026-35617 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
CVE-2026-35624 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation Low
CVE-2026-35649 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw may have stale policy enforcement for queued node actions Low
CVE-2026-35648 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
GitLab has remediated an issue in GitLab EE affecting all versions from 18.1 before 18.8.7, 18.9... Low Unreviewed
CVE-2026-4363 was published Mar 25, 2026
This issue was addressed with improved permissions checking. This issue is fixed in iOS 18.7.7... Low Unreviewed
CVE-2026-28864 was published Mar 25, 2026
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol Low
CVE-2026-32642 was published for org.apache.activemq:artemis-openwire-protocol (Maven) Mar 24, 2026
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows Low
GHSA-cjq8-m7wj-xmq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
GHSA-vmvw-pwwf-cc2w was published for openclaw (NuGet) Mar 21, 2026 withdrawn
etcd: Nested etcd transactions bypass RBAC authorization checks Low
CVE-2026-33343 was published for go.etcd.io/etcd (Go) Mar 20, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage Low
GHSA-r849-826x-wgqm was published for openclaw (npm) Mar 19, 2026 withdrawn
Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the... Low Unreviewed
CVE-2026-26230 was published Mar 16, 2026
Mattermost fails to validate user's authentication method when processing account auth type switch Low
CVE-2026-22545 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database