Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,250 advisories

Loading
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation Moderate
GHSA-5m9r-p9g7-679c was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
GHSA-g353-mgv3-8pcj was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Gateway `agent` calls could override the workspace boundary High
GHSA-2rqg-gjgv-84jm was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
GHSA-rqpp-rjj8-7wv8 was published for openclaw (npm) Mar 13, 2026
LUOYEcode Credited to LUOYEcode
`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state High
GHSA-wcxr-59v9-rxr8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories High
GHSA-99qw-6mr3-36qr was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces High
GHSA-r7vr-gr74-94p8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths Moderate
GHSA-f8r2-vg7x-gh8m was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu reaction events could bypass group authorization and mention gating Moderate
GHSA-m69h-jm2f-2pv8 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes High
GHSA-vmhq-cqm9-6p7q was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens Moderate
GHSA-7h7g-x2px-94hj was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua and woreksami woreksami woreksami
OpenClaw's Zalouser allowlist authorization matched mutable group names by default Moderate
GHSA-f5mf-3r52-r83w was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization Critical
CVE-2026-32621 was published for @apollo/federation-internals (npm) Mar 13, 2026
r3dbrothers Credited to r3dbrothers
Statamic vulnerable to privilege escalation via stored cross-site scripting Moderate
CVE-2026-32612 was published for statamic/cms (Composer) Mar 13, 2026
Shirshaw64p Credited to Shirshaw64p
idunno.Bluesky, idunno.AtProto and idunno.AtProto.OAuthCallback Denial of Service Vulnerability High
GHSA-8fh9-c4jq-94h4 was published for idunno.AtProto (NuGet) Mar 13, 2026
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning Low
GHSA-q926-c743-49qj was published for github.com/centrifugal/centrifugo/v6 (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
simplesamlphp/xml-security: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption High
CVE-2026-32600 was published for simplesamlphp/xml-security (Composer) Mar 13, 2026
Sideni Credited to Sideni and tvdijen tvdijen tvdijen
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression High
CVE-2026-1526 was published for undici (npm) Mar 13, 2026
HO-9 Credited to HO-9, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation High
CVE-2026-2229 was published for undici (npm) Mar 13, 2026
aisle-research Credited to aisle-research, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has CRLF Injection in undici via `upgrade` option Moderate
CVE-2026-1527 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS Moderate
CVE-2026-2581 was published for undici (npm) Mar 13, 2026
jackhax Credited to jackhax, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client High
CVE-2026-1528 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Undici has an HTTP Request/Response Smuggling issue Moderate
CVE-2026-1525 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
OneUptime: Password Reset Token Logged at INFO Level Moderate
CVE-2026-32598 was published for oneuptime (npm) Mar 13, 2026
n0rv-TvT Credited to n0rv-TvT
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database