Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

16 advisories

Loading
Cube Core is vulnerable to privilege escalation via a specially crafted request High
CVE-2026-25958 was published for @cubejs-backend/server-core (npm) Feb 10, 2026
ovr Credited to ovr
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides) High
CVE-2026-29610 was published for openclaw (npm) Feb 18, 2026
akhmittra Credited to akhmittra
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Moderate
CVE-2026-32057 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions Moderate
CVE-2026-32029 was published for openclaw (npm) Mar 3, 2026
AnthonyDiSanti Credited to AnthonyDiSanti and vincentkoc vincentkoc vincentkoc
OpenClaw's Zalouser allowlist authorization matched mutable group names by default Moderate
GHSA-f5mf-3r52-r83w was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File High
CVE-2026-33068 was published for @anthropic-ai/claude-code (npm) Mar 19, 2026
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Moderate
GHSA-xh9j-mpc9-2m9p was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-rcx4-77x4-hjx5 was published for openclaw (npm) Mar 21, 2026 withdrawn
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. Moderate
CVE-2026-35670 was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
CVE-2026-35624 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting Moderate
CVE-2026-35655 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
CVE-2026-35617 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing High
GHSA-6xg4-82hv-cp6f was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic High
GHSA-7ggg-pvrf-458v was published for openclaw (npm) Apr 2, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Duplicate Advisory: OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
GHSA-j42q-r6qx-xrfp was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
GHSA-5f7h-p83x-5vc2 was published for openclaw (npm) Apr 10, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database