Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,318
Maven
5,000+
npm
5,000+
NuGet
878
pip
4,532
Pub
12
RubyGems
1,009
Rust
1,200
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,790 advisories

Loading
OpenClaw has Inconsistent Host Exec Environment Override Sanitization High
GHSA-39pp-xp36-q6mg was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths High
GHSA-48vw-m3qc-wr99 was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling Moderate
GHSA-rm59-992w-x2mv was published for openclaw (npm) Mar 26, 2026
SEORY0 Credited to SEORY0
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution Moderate
GHSA-rvqr-hrcc-j9vv was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure High
GHSA-4qwc-c7g9-4xcw was published for openclaw (npm) Mar 26, 2026
Contrast BadAML injection allows arbitrary code execution High
GHSA-g9ww-x58f-9g6m was published for github.com/edgelesssys/contrast (Go) Mar 26, 2026
katexochen Credited to katexochen and sespiros sespiros sespiros
OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface High
GHSA-cxmw-p77q-wchg was published for openclaw (npm) Mar 26, 2026
cyjhhh Credited to cyjhhh
ImageMagick has an Out-of-bounds Write via InterpretImageFilename Moderate
CVE-2026-33536 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 26, 2026
fumfel Credited to fumfel
OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper High
GHSA-qm9x-v7cx-7rq4 was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement High
GHSA-65h8-27jh-q8wv was published for openclaw (npm) Mar 26, 2026
kuranikaran Credited to kuranikaran
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. High
GHSA-wv46-v6xc-2qhf was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation Moderate
GHSA-h3x4-hc5v-v2gm was published for openclaw (npm) Mar 26, 2026
RacerZ-fighting Credited to RacerZ-fighting and Fushuling Fushuling Fushuling
Statamic allows unauthorized content access through missing authorization in its revision controllers Moderate
CVE-2026-33887 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields Moderate
CVE-2026-33886 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential Moderate
CVE-2026-33885 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's live preview token bypasses content protection for unrelated entries Moderate
CVE-2026-33884 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag Moderate
CVE-2026-33883 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
Statamic's Markdown preview endpoint exposes sensitive user data Moderate
CVE-2026-33882 was published for statamic/cms (Composer) Mar 26, 2026
joshuaalwin Credited to joshuaalwin
OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers High
GHSA-wq58-2pvg-5h4f was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication Moderate
GHSA-6mqc-jqh6-x8fc was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Plivo V2 verified replay identity drifts on query-only variants High
GHSA-cg6c-q2hx-69h7 was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
Convict has Prototype Pollution via startsWith() function Critical
CVE-2026-33864 was published for convict (npm) Mar 26, 2026
kevgeoleo Credited to kevgeoleo, vdata1, reallyTG, fkiriakos07, toufali, and clouserw vdata1 vdata1
reallyTG reallyTG fkiriakos07 fkiriakos07 toufali toufali clouserw clouserw
Convict has prototype pollution via load(), loadFile(), and schema initialization Critical
CVE-2026-33863 was published for convict (npm) Mar 26, 2026
toufali Credited to toufali and clouserw clouserw clouserw
Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass High
CVE-2026-33871 was published for io.netty:netty-codec-http2 (Maven) Mar 26, 2026
sprabhav7 Credited to sprabhav7
Netty: HTTP Request Smuggling via Chunked Extension Quoted-String Parsing High
CVE-2026-33870 was published for io.netty:netty-codec-http (Maven) Mar 26, 2026
xclow3n Credited to xclow3n
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database