Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

35 advisories

Loading
OpenClaw: Mattermost handlers could fall open when channel type was missing Moderate
GHSA-gp79-m99v-gjmh was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms High
CVE-2026-53712 was published for com.ongres.scram:scram-client (Maven) Jul 1, 2026
KEIJOT Credited to KEIJOT and jorsol jorsol jorsol
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails Moderate
CVE-2026-54762 was published for github.com/traefik/traefik/v3 (Go) Jun 19, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel
guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext Moderate
CVE-2026-55568 was published for guzzlehttp/guzzle (Composer) Jun 19, 2026
GrahamCampbell Credited to GrahamCampbell
OpenClaw: Empty-scope device re-pairing could confuse caller scope containment Low
CVE-2026-53852 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment Low
GHSA-hc4w-hm59-9w88 was published for openclaw (npm) Jun 16, 2026 withdrawn
MCP Registry: OCI validator skips ownership check on upstream rate limits Low
CVE-2026-45781 was published for github.com/modelcontextprotocol/registry (Go) May 19, 2026
rdimitrov Credited to rdimitrov
net-imap vulnerable to STARTTLS stripping via invalid response timing High
CVE-2026-42246 was published for net-imap (RubyGems) May 4, 2026
Masamuneee Credited to Masamuneee
OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes Critical
CVE-2026-40525 was published for openviking (pip) Apr 17, 2026
free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors Moderate
CVE-2026-40249 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions High
CVE-2026-40248 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions High
CVE-2026-40247 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install High
CVE-2026-35205 was published for helm.sh/helm/v4 (Go) Apr 10, 2026
maru1009 Credited to maru1009
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open) Low
CVE-2026-41377 was published for openclaw (npm) Apr 2, 2026
davidluzsilva Credited to davidluzsilva
Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode Low
GHSA-vm29-7mq3-9jrg was published for OpenClaw (npm) Mar 31, 2026 withdrawn
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API