GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
18 advisories
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
Moderate
CVE-2024-53866
was published
for
pnpm
(npm)
Dec 10, 2024
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
Moderate
CVE-2026-23888
was published
for
pnpm
(npm)
Jan 26, 2026
OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode
Moderate
GHSA-qhrr-grqp-6x2g
was published
for
openclaw
(npm)
Mar 3, 2026
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)
High
CVE-2024-27303
was published
for
app-builder-lib
(npm)
Mar 4, 2024
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
High
CVE-2026-31997
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
High
CVE-2026-32032
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
High
CVE-2026-32009
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks
High
CVE-2026-32015
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
Moderate
CVE-2026-32016
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has an Arbitrary Malicious Code Execution Vulnerability
High
CVE-2026-35641
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
Critical
CVE-2026-41294
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw Has Incomplete Fix for CVE-2026-4039: CLI Backend Environment Variable Injection via Workspace Config
High
CVE-2026-41384
was published
for
openclaw
(npm)
Apr 7, 2026
ProTip!
Advisories are also available from the
GraphQL API