Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

2,296 advisories

Loading
auto-favicon has a Server-Side Request Forgery issue Low
CVE-2026-7150 was published for auto-favicon (pip) Apr 27, 2026
Wooey has an Incorrect Privilege Assignment issue Low
CVE-2026-7142 was published for wooey (pip) Apr 27, 2026
vLLM makes Use of Uninitialized Resource Low
CVE-2026-7141 was published for vllm (pip) Apr 27, 2026
Ollama is Vulnerable to Path Traversal Low
CVE-2026-7020 was published for github.com/ollama/ollama (Go) Apr 26, 2026
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks Low
GHSA-j4c5-89f5-f3pm was published for openclaw (npm) Apr 25, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Paired-device pairing actions were not limited to the caller device Low
GHSA-xrq9-jm7v-g9h7 was published for openclaw (npm) Apr 25, 2026
Hinotoi-agent Credited to Hinotoi-agent
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
CVE-2026-44999 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization Low
CVE-2026-41908 was published for openclaw (npm) Apr 25, 2026
Kherrisan Credited to Kherrisan
AstrBot has Incomplete Filtering of Special Elements Low
CVE-2026-6984 was published for AstrBot (pip) Apr 25, 2026
Kimai has Missing Object-Level Authorization in the Team API Low
CVE-2026-41498 was published for kimai/kimai (Composer) Apr 24, 2026
AzureADTrent Credited to AzureADTrent
Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
GHSA-7hrg-5w46-5r2x was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation Low
GHSA-wwc3-c577-533m was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Low
GHSA-pr66-whqj-rq5p was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Low
GHSA-2xp4-qhr4-xqm2 was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Low
GHSA-qgp3-3rj7-qqq4 was published for openclaw (npm) Apr 24, 2026 withdrawn
melange has Path Traversal via .PKGINFO in --persist-lint-results Low
CVE-2026-29051 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal, antitree, and egibs antitree antitree
egibs egibs
Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) Low
CVE-2026-41321 was published for @astrojs/cloudflare (npm) Apr 23, 2026
kodareef5 Credited to kodareef5
Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization Low
GHSA-qgx9-6px9-7p75 was published for openclaw (npm) Apr 23, 2026 withdrawn
Duplicate Advisory: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided Low
GHSA-qmq6-f8pr-cx5x was published for uuid (npm) Apr 23, 2026 withdrawn
julianladisch Credited to julianladisch
copilot-api has Reliance on Reverse DNS Resolution for a Security-Critical Action Low
CVE-2026-6874 was published for copilot-api (npm) Apr 23, 2026
verl's math_equal() Vulnerable to Arbitrary Code Execution via Unsafe eval() Low
CVE-2026-6878 was published for verl (pip) Apr 23, 2026
rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length Low
CVE-2026-41677 was published for openssl (Rust) Apr 22, 2026
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
CVE-2026-41889 was published for github.com/jackc/pgx (Go) Apr 22, 2026
nimiq-transaction: Panic via `HistoryTreeProof` length mismatch Low
CVE-2026-34067 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
uutils coreutils's User Interface (UI) Misrepresents Critical Information Low
CVE-2026-35371 was published for coreutils (Rust) Apr 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database