GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,648 advisories
Filter by severity
OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance
High
CVE-2026-53816
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Combined POSIX shell options could confuse exec revalidation
High
CVE-2026-53806
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Fake package roots could influence memory-core artifact loading
High
CVE-2026-53813
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows
High
CVE-2026-53819
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes
High
GHSA-xr4f-mjxj-w6w5
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing
High
GHSA-qjpc-qf9m-xwmr
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Slack allowFrom could bind to mutable display names
High
GHSA-c29c-2q9c-pc86
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: QQBot streaming command could mutate config without explicit allowFrom
High
GHSA-jvm4-4j77-39p6
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Node pairing reconnection could confuse approval scope state
High
GHSA-83w9-h5wv-j9xm
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates
High
GHSA-hw9r-h9mr-4jff
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
High
GHSA-mhq8-78pj-5j79
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: QQBot native approval buttons did not enforce configured approver identity
High
CVE-2026-35630
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
High
CVE-2026-53814
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Control UI locality spoofing could mint a durable admin device token
High
CVE-2026-53817
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
High
GHSA-rggc-m335-3wvj
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw's marketplace runtime extension metadata could point at unscanned payloads
High
CVE-2026-53810
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Shell wrapper argv could change between approval and execution
High
GHSA-2j8v-hwgc-x698
was published
for
Openclaw
(npm)
Jul 2, 2026
OpenClaw: Exec approval display truncation could hide the command being approved
High
GHSA-xww8-gqvh-92x9
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Message read actions could skip channel allowlist checks
High
CVE-2026-53815
was published
for
openclaw
(npm)
Jul 2, 2026
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
High
CVE-2026-50143
was published
for
@apify/actors-mcp-server
(npm)
Jul 1, 2026
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
High
CVE-2026-48815
was published
for
sigstore
(npm)
Jul 1, 2026
repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection
High
CVE-2026-49987
was published
for
repomix
(npm)
Jul 1, 2026
wetty vulnerable to DOM XSS via file-download filename
High
CVE-2026-49864
was published
for
wetty
(npm)
Jul 1, 2026
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback
High
CVE-2026-49857
was published
for
auth-fetch-mcp
(npm)
Jul 1, 2026
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
High
CVE-2026-48795
was published
for
@adonisjs/bodyparser
(npm)
Jun 30, 2026
ProTip!
Advisories are also available from the
GraphQL API