Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

46 advisories

Loading
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config High
CVE-2026-41384 was published for openclaw (npm) Apr 7, 2026
YLChen-007 Credited to YLChen-007
uutils coreutils has an Untrusted Search Path High
CVE-2026-35368 was published for coreutils (Rust) Apr 22, 2026
Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows Moderate
CVE-2026-35603 was published for @anthropic-ai/claude-code (npm) Apr 17, 2026
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover Critical
CVE-2026-41294 was published for openclaw (npm) Apr 1, 2026
tdjackey Credited to tdjackey
PraisonAI Vulnerable to RCE via Automatic tools.py Import High
CVE-2026-40287 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
OpenClaw has an Arbitrary Malicious Code Execution Vulnerability High
CVE-2026-35641 was published for openclaw (npm) Mar 30, 2026
ChangeYourWay Credited to ChangeYourWay
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading High
CVE-2026-40156 was published for praisonai (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking High
CVE-2026-39883 was published for go.opentelemetry.io/otel/sdk (Go) Apr 8, 2026
kodareef5 Credited to kodareef5 and dmathieu dmathieu dmathieu
OpenClaw: macOS optional allowlist basename matching could bypass path-based policy Moderate
CVE-2026-32016 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks High
CVE-2026-32015 was published for openclaw (npm) Mar 3, 2026
jackhax Credited to jackhax
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`) High
CVE-2026-32009 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment High
CVE-2026-32032 was published for openclaw (npm) Mar 3, 2026
athuljayaram Credited to athuljayaram
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind High
CVE-2026-31997 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only) High
CVE-2024-27303 was published for app-builder-lib (npm) Mar 4, 2024
bruno-1337 Credited to bruno-1337
OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode Moderate
GHSA-qhrr-grqp-6x2g was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking High
CVE-2026-24051 was published for go.opentelemetry.io/otel/sdk (Go) Feb 2, 2026
MorielHarush Credited to MorielHarush, pellared, and arminru pellared pellared
arminru arminru
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal High
CVE-2026-25992 was published for github.com/siyuan-note/siyuan/kernel (Go) Jan 28, 2026
EaEa0001 Credited to EaEa0001
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip) Moderate
CVE-2026-23888 was published for pnpm (npm) Jan 26, 2026
mldangelo Credited to mldangelo and mgol mgol mgol
sinatra does not validate expanded path matches High
CVE-2022-29970 was published for sinatra (RubyGems) May 3, 2022
Apache Tomcat installer for Windows has an untrusted search path vulnerability Moderate
CVE-2025-49124 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Jun 16, 2025
NVIDIA Container Toolkit for all platforms contains an Untrusted Search Path Critical
CVE-2025-23266 was published for github.com/NVIDIA/gpu-operator (Go) Jul 17, 2025
Microsoft Security Advisory CVE-2025-30399 | .NET Remote Code Vulnerability High
CVE-2025-30399 was published for Microsoft.NetCore.App.Runtime.linux-arm (NuGet) Jun 11, 2025
OpenStack Kolla sudo privilege escalation vulnerability High
CVE-2022-38060 was published for kolla (pip) Dec 21, 2022
Poetry vulnerable to Untrusted Search Path leading to Local Code Execution on Windows High
CVE-2022-36070 was published for poetry (pip) Oct 11, 2022
paul-gerste-sonarsource Credited to paul-gerste-sonarsource
Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection Low
CVE-2025-1398 was published for mattermost-desktop (npm) Mar 17, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database