Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,845 advisories

Loading
OpenClaw: Prevent shell injection in macOS keychain credential write High
CVE-2026-27487 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern High
CVE-2026-26996 was published for minimatch (npm) Feb 18, 2026
AkshayJainG
Credited to AkshayJainG
Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde High
CVE-2026-26974 was published for @tygo-van-den-hurk/slyde (npm) Feb 18, 2026
Tygo-van-den-Hurk
Credited to Tygo-van-den-Hurk
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction High
CVE-2026-26960 was published for tar (npm) Feb 18, 2026
scumfrog
Credited to scumfrog
OpenClaw: Docker container escape via unvalidated bind mount config injection High
CVE-2026-27002 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw: Unsanitized CWD path injection into LLM prompts High
CVE-2026-27001 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw has a command injection in maintainer clawtributors updater High
CVE-2026-26323 was published for openclaw (npm) Feb 18, 2026
scanleale MegaManSec
Credited to scanleale and MegaManSec
OpenClaw has a path traversal in browser upload allows local file read High
CVE-2026-26329 was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals High
CVE-2026-26325 was published for openclaw (npm) Feb 17, 2026
christos-eth
Credited to christos-eth
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) High
CVE-2026-26324 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
OpenClaw Gateway tool allowed unrestricted gatewayUrl override High
CVE-2026-26322 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension High
CVE-2026-26321 was published for openclaw (npm) Feb 17, 2026
zpbrent
Credited to zpbrent
OpenClaw macOS deep link confirmation truncation can conceal executed agent message High
CVE-2026-26320 was published for openclaw (npm) Feb 17, 2026
Cillian-Collins
Credited to Cillian-Collins
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests High
CVE-2026-26319 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust High
CVE-2026-26316 was published for @openclaw/bluebubbles (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
LangChain serialization injection vulnerability enables secret extraction High
CVE-2025-68665 was published for @langchain/core (npm) Dec 23, 2025
eyurtsev ccurme
mdrxy 0xn3va yardenporat353 VladimirEliTokarev hntrl siewer jacoblee93
Credited to eyurtsev, ccurme, mdrxy, 0xn3va, yardenporat353, VladimirEliTokarev, hntrl, siewer, and jacoblee93
Fabric.js Affected by Stored XSS via SVG Export High
CVE-2026-27013 was published for fabric (npm) Feb 18, 2026
nedlir
Credited to nedlir
Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation High
CVE-2026-26318 was published for systeminformation (npm) Feb 18, 2026
Sanu1999
Credited to Sanu1999
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path High
CVE-2026-26280 was published for systeminformation (npm) Feb 18, 2026
mom3gool
Credited to mom3gool
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) High
CVE-2026-26278 was published for fast-xml-parser (npm) Feb 17, 2026
ByamB4
Credited to ByamB4
CediPay Affected by Improper Input Validation in Payment Processing High
CVE-2026-26063 was published for cedipay-core (npm) Feb 12, 2026
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions High
CVE-2026-25535 was published for jspdf (npm) Feb 19, 2026
ZeroXJacks
Credited to ZeroXJacks
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database