Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

14 advisories

Loading
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules High
GHSA-f26g-jm89-4g65 was published for gix (Rust) May 5, 2026
OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel High
GHSA-jf56-mccx-5f3f was published for openclaw (npm) Apr 9, 2026
tdjackey Credited to tdjackey
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade High
GHSA-gfmx-pph7-g46x was published for openclaw (npm) Apr 9, 2026
tdjackey Credited to tdjackey
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json High
CVE-2026-25725 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
Universal Tool Calling Protocol (UTCP) client library for Python vulnerable to Trust Boundary Violation through Manual JSON specification High
CVE-2025-14542 was published for utcp (pip) Dec 13, 2025
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events High
CVE-2025-64496 was published for open-webui (npm) Nov 7, 2025
vitalysim Credited to vitalysim
Prevent GitHub CLI and extensions from executing arbitrary commands from compromised GitHub Enterprise Server Moderate
CVE-2025-48938 was published for github.com/cli/go-gh/v2 (Go) May 30, 2025
andyfeller Credited to andyfeller, williammartin, BagToad, babakks, matt-, shilpakum, and vcsjones williammartin williammartin
BagToad BagToad babakks babakks matt- matt- shilpakum shilpakum vcsjones vcsjones
Open Cluster Management vulnerable to Trust Boundary Violation High
CVE-2024-9779 was published for open-cluster-management.io/ocm (Go) Dec 18, 2024
kubevirt-csi: PersistentVolume allows access to HCP's root node High
CVE-2024-1725 was published for github.com/kubevirt/csi-driver (Go) Mar 7, 2024
Duplicate Advisory: Sandbox escape in Artemis Java Test Sandbox High
GHSA-hj55-9jmv-9jrj was published for de.tum.in.ase:artemis-java-test-sandbox (Maven) Jan 19, 2024 withdrawn
Class Loading Vulnerability in Artemis High
CVE-2024-23682 was published for de.tum.in.ase:artemis-java-test-sandbox (Maven) Feb 9, 2022
juliuskreutz Credited to juliuskreutz
Context isolation bypass via contextBridge in Electron High
CVE-2020-4077 was published for electron (npm) Jul 7, 2020
Context isolation bypass via leaked cross-context objects in Electron High
CVE-2020-4076 was published for electron (npm) Jul 7, 2020
Context isolation bypass via Promise in Electron Low
CVE-2020-15096 was published for electron (npm) Jul 7, 2020
MarshallOfSound Credited to MarshallOfSound
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database