Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

13,903 advisories

Loading
A weakness has been identified in tufantunc ssh-mcp up to 1.5.0. Impacted is an unknown function... Low Unreviewed
CVE-2026-7038 was published Apr 26, 2026
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks Low
GHSA-j4c5-89f5-f3pm was published for openclaw (npm) Apr 25, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Paired-device pairing actions were not limited to the caller device Low
GHSA-xrq9-jm7v-g9h7 was published for openclaw (npm) Apr 25, 2026
Hinotoi-agent Credited to Hinotoi-agent
OpenClaw: QQBot direct media upload skipped URL SSRF validation Low
GHSA-c4qg-j8jg-42q5 was published for openclaw (npm) Apr 25, 2026
foodlook Credited to foodlook
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
GHSA-57r2-h2wj-g887 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization Low
GHSA-v8qf-fr4g-28p2 was published for openclaw (npm) Apr 25, 2026
Kherrisan Credited to Kherrisan
Kimai has Missing Object-Level Authorization in the Team API Low
CVE-2026-41498 was published for kimai/kimai (Composer) Apr 24, 2026
AzureADTrent Credited to AzureADTrent
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of... Low Unreviewed
CVE-2026-31051 was published Apr 24, 2026
AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated... Low Unreviewed
CVE-2026-4313 was published Apr 24, 2026
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device... Low Unreviewed
CVE-2026-41356 was published Apr 24, 2026
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based... Low Unreviewed
CVE-2026-41357 was published Apr 24, 2026
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non... Low Unreviewed
CVE-2026-41358 was published Apr 24, 2026
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The... Low Unreviewed
CVE-2026-2708 was published Apr 24, 2026
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command... Low Unreviewed
CVE-2026-41348 was published Apr 24, 2026
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that... Low Unreviewed
CVE-2026-41341 was published Apr 24, 2026
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when... Low Unreviewed
CVE-2026-41347 was published Apr 24, 2026
Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4) Low
CVE-2026-41321 was published for @astrojs/cloudflare (npm) Apr 23, 2026
kodareef5 Credited to kodareef5
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant... Low Unreviewed
CVE-2026-41908 was published Apr 23, 2026
The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key... Low Unreviewed
CVE-2026-4512 was published Apr 23, 2026
uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID... Low Unreviewed
CVE-2026-41988 was published Apr 23, 2026
IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration... Low Unreviewed
CVE-2026-1272 was published Apr 23, 2026
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for... Low Unreviewed
CVE-2026-6019 was published Apr 22, 2026
rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length Low
CVE-2026-41677 was published for openssl (Rust) Apr 22, 2026
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
GHSA-j88v-2chj-qfwx was published for github.com/jackc/pgx (Go) Apr 22, 2026
nimiq-transaction: Panic via `HistoryTreeProof` length mismatch Low
CVE-2026-34067 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database