Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
58
GitHub Actions
50
Go
3,799
Maven
5,000+
npm
5,000+
NuGet
938
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,351
Swift
54
Unreviewed advisories
All unreviewed
5,000+

196 advisories

Loading
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in... Moderate Unreviewed
CVE-2026-44995 was published May 11, 2026
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection Critical
CVE-2026-44336 was published for PraisonAI (pip) May 11, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project... Moderate Unreviewed
CVE-2026-45184 was published May 10, 2026
Electerm users can run dangrous code through link or command line Critical
CVE-2026-43944 was published for electerm (npm) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Electerm runWidget has a path traversal that leads to arbitrary code execution Critical
CVE-2026-43940 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content Moderate
CVE-2026-44312 was published for css_parser (RubyGems) May 7, 2026
JLLeitschuh Credited to JLLeitschuh
OpenStack Ironic Python Agent Includes Functionality from Untrusted Control Sphere High
CVE-2026-43003 was published for ironic-python-agent (pip) May 1, 2026
OpenStack Ironic is Vulnerable to Inclusion of Functionality from Untrusted Control Sphere Moderate
CVE-2026-42510 was published for ironic (pip) Apr 28, 2026
pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere Moderate
CVE-2026-6357 was published for pip (pip) Apr 27, 2026
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config Moderate
GHSA-mj59-h3q9-ghfh was published for openclaw (npm) Apr 25, 2026
garagon Credited to garagon
Duplicate Advisory: OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup Moderate
GHSA-m563-373q-885c was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code High
GHSA-jx3c-247h-cxwp was published for openclaw (npm) Apr 24, 2026 withdrawn
InstructLab Includes Functionality from Untrusted Control Sphere High
CVE-2026-6859 was published for instructlab (pip) Apr 22, 2026
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC... Moderate Unreviewed
CVE-2026-41253 was published Apr 18, 2026
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins High
CVE-2026-43569 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows High
CVE-2026-43571 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation... High Unreviewed
CVE-2026-6482 was published Apr 17, 2026
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod. Critical Unreviewed
CVE-2026-40959 was published Apr 16, 2026
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading High
CVE-2026-40156 was published for praisonai (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
PraisonAI Vulnerable Untrusted Remote Template Code Execution Critical
CVE-2026-40154 was published for PraisonAI (pip) Apr 10, 2026
l3tchupkt Credited to l3tchupkt
IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container... High Unreviewed
CVE-2026-1342 was published Apr 8, 2026
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup Moderate
CVE-2026-41295 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup Moderate
CVE-2026-41355 was published for openclaw (npm) Apr 7, 2026
tdjackey Credited to tdjackey
OpenClaw: Workspace `.env` can override the bundled plugin trust root High
CVE-2026-41396 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code High
CVE-2026-41336 was published for openclaw (npm) Apr 2, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database