Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,982
Maven
5,000+
npm
4,677
NuGet
788
pip
4,321
Pub
12
RubyGems
986
Rust
1,133
Swift
49
Unreviewed advisories
All unreviewed
5,000+

4,678 advisories

Loading
OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway High
GHSA-v6c6-vqqg-w888 was published for openclaw (npm) Feb 18, 2026
222n5
Credited to 222n5
OpenClaw's unsanitized session ID enables path traversal in transcript file operations Moderate
GHSA-5xfq-5mr7-426q was published for openclaw (npm) Feb 18, 2026
akhmittra
Credited to akhmittra
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction High
CVE-2026-26960 was published for tar (npm) Feb 18, 2026
scumfrog
Credited to scumfrog
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker
Credited to anbecker
OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides) High
GHSA-jqpq-mgvm-f9r6 was published for openclaw (npm) Feb 18, 2026
akhmittra
Credited to akhmittra
OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication Moderate
GHSA-pg2v-8xwh-qhcc was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled Moderate
GHSA-c37p-4qqg-3p76 was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw Telegram allowlist authorization accepted mutable usernames Moderate
GHSA-mj5r-hh7j-4gxf was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting High
GHSA-rq6g-px6m-c248 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by denial of service via unbounded webhook request body buffering High
GHSA-q447-rj3r-2cgh was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) Moderate
GHSA-h89v-j3x9-8wqj was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks Moderate
GHSA-w2cg-vxx6-5xjg was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw affected by denial of service via unbounded URL-backed media fetch High
GHSA-j27p-hq53-9wgc was published for openclaw (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands Moderate
GHSA-v773-r54f-q32w was published for openclaw (npm) Feb 18, 2026
christos-eth
Credited to christos-eth
OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion Moderate
GHSA-xvhf-x56f-2hpp was published for openclaw (npm) Feb 18, 2026
christos-eth
Credited to christos-eth
OpenClaw has a command injection in maintainer clawtributors updater High
CVE-2026-26323 was published for openclaw (npm) Feb 18, 2026
scanleale MegaManSec
Credited to scanleale and MegaManSec
OpenClaw has a path traversal in browser upload allows local file read High
CVE-2026-26329 was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities Moderate
CVE-2026-26328 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw allows unauthenticated discovery TXT records could steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch Low
GHSA-chm2-m3w2-wcxm was published for clawdbot (npm) Feb 17, 2026
vincentkoc
Credited to vincentkoc
OpenClaw skills.status could leak secrets to operator.read clients Moderate
CVE-2026-26326 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals High
CVE-2026-26325 was published for openclaw (npm) Feb 17, 2026
christos-eth
Credited to christos-eth
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) High
CVE-2026-26324 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
OpenClaw Gateway tool allowed unrestricted gatewayUrl override High
CVE-2026-26322 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database