Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

4,733 advisories

Loading
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) High
CVE-2026-26324 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals High
CVE-2026-26325 was published for openclaw (npm) Feb 17, 2026
christos-eth
Credited to christos-eth
OpenClaw skills.status could leak secrets to operator.read clients Moderate
CVE-2026-26326 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities Moderate
CVE-2026-26328 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw has a path traversal in browser upload allows local file read High
CVE-2026-26329 was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw has a command injection in maintainer clawtributors updater High
CVE-2026-26323 was published for openclaw (npm) Feb 18, 2026
scanleale MegaManSec
Credited to scanleale and MegaManSec
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw has a Path Traversal in Browser Download Functionality Moderate
CVE-2026-26972 was published for openclaw (npm) Feb 18, 2026
locus-x64
Credited to locus-x64
OpenClaw: Unsanitized CWD path injection into LLM prompts High
CVE-2026-27001 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw: Docker container escape via unvalidated bind mount config injection High
CVE-2026-27002 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw: Telegram bot token exposure via logs Moderate
CVE-2026-27003 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw session tool visibility hardening and Telegram webhook secret fallback Moderate
CVE-2026-27004 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation Moderate
CVE-2026-27007 was published for openclaw (npm) Feb 18, 2026
kexinoh
Credited to kexinoh
OpenClaw hardened the skill download target directory validation Moderate
CVE-2026-27008 was published for openclaw (npm) Feb 18, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection Moderate
CVE-2026-27009 was published for openclaw (npm) Feb 18, 2026
Adam55A-code
Credited to Adam55A-code
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction High
CVE-2026-26960 was published for tar (npm) Feb 18, 2026
scumfrog
Credited to scumfrog
Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde High
CVE-2026-26974 was published for @tygo-van-den-hurk/slyde (npm) Feb 18, 2026
Tygo-van-den-Hurk
Credited to Tygo-van-den-Hurk
Ghost has a SQL injection in Content API Critical
CVE-2026-26980 was published for ghost (npm) Feb 18, 2026
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern High
CVE-2026-26996 was published for minimatch (npm) Feb 18, 2026
AkshayJainG
Credited to AkshayJainG
OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup Moderate
CVE-2026-27486 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw: Prevent shell injection in macOS keychain credential write High
CVE-2026-27487 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
Authorization bypass in url-parse Moderate
CVE-2022-0512 was published for url-parse (npm) Feb 15, 2022
ljharb
Credited to ljharb
url-parse Incorrectly parses URLs that include an '@' Moderate
CVE-2022-0639 was published for url-parse (npm) Feb 18, 2022
Haxatron ljharb
Credited to Haxatron and ljharb
ajv has ReDoS when using `$data` option Moderate
CVE-2025-69873 was published for ajv (npm) Feb 11, 2026
epoberezkin G-Rath
wayne530
Credited to epoberezkin, G-Rath, and wayne530
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database