GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
11 advisories
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)
High
CVE-2026-26324
was published
for
openclaw
(npm)
Feb 17, 2026
OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve
High
GHSA-mqpw-46fh-299h
was published
for
openclaw
(npm)
Feb 17, 2026
OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains
High
GHSA-7vwx-582j-j332
was published
for
openclaw
(npm)
Feb 17, 2026
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
High
CVE-2026-25474
was published
for
openclaw
(npm)
Feb 17, 2026
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
High
GHSA-mr32-vwc2-5j6h
was published
for
moltbot
(npm)
Feb 17, 2026
Wrangler affected by OS Command Injection in `wrangler pages deploy`
High
CVE-2026-0933
was published
for
wrangler
(npm)
Jan 21, 2026
lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
High
CVE-2025-67729
was published
for
lmdeploy
(pip)
Dec 26, 2025
Fedify has ReDoS Vulnerability in HTML Parsing Regex
High
CVE-2025-68475
was published
for
@fedify/fedify
(npm)
Dec 22, 2025
systeminformation has a Command Injection vulnerability in fsSize() function on Windows
High
CVE-2025-68154
was published
for
systeminformation
(npm)
Dec 16, 2025
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
High
CVE-2025-68150
was published
for
parse-server
(npm)
Dec 16, 2025
@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
High
CVE-2025-68155
was published
for
@vitejs/plugin-rsc
(npm)
Dec 16, 2025
ProTip!
Advisories are also available from the
GraphQL API