Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,615
Maven
5,000+
npm
5,000+
NuGet
925
pip
4,835
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

30 advisories

Loading
OpenClaw: Agent gateway config mutations could change protected operator settings Moderate
GHSA-7jm2-g593-4qrc was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy Moderate
GHSA-qrp5-gfw2-gxv4 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
GHSA-57r2-h2wj-g887 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy Moderate
GHSA-72q8-jcmc-97wx was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Hook mapping templates could bypass hook session-key opt-in Moderate
GHSA-2xcp-x87w-q377 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths Moderate
GHSA-f934-5rqf-xx47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation High
GHSA-xmxx-7p24-h892 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Sandboxed agents could escape exec routing via host=node override High
GHSA-736r-jwj6-4w23 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage Moderate
GHSA-536q-mj95-h29h was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement Moderate
GHSA-527m-976r-jf79 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows High
GHSA-82qx-6vj7-p8m2 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables Moderate
GHSA-7wv4-cc7p-jhxc was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input Moderate
GHSA-7g8c-cfr3-vqqr was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks Low
GHSA-gc9r-867r-j85f was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay Low
GHSA-r77c-2cmr-7p47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Heartbeat owner downgrade missed local async exec completion events Moderate
GHSA-g375-h3v6-4873 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
GHSA-g2hm-779g-vm32 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation Moderate
GHSA-c4qm-58hj-j6pj was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases High
GHSA-8372-7vhw-cm6q was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context Moderate
GHSA-jwrq-8g5x-5fhm was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks Moderate
CVE-2026-42420 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement High
CVE-2026-42432 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes Moderate
CVE-2026-41910 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts Moderate
CVE-2026-42423 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// Moderate
CVE-2026-40045 was published for openclaw (npm) Apr 7, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database