GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
143 advisories
Filter by severity
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
Moderate
CVE-2026-22180
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured
Moderate
CVE-2026-22181
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
Moderate
CVE-2026-32043
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
High
CVE-2026-27545
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
High
CVE-2026-31997
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: Sandbox media TOCTOU could read files outside sandbox root
High
GHSA-7xmq-g46g-f8pv
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw's TOCTOU symlink race in writeFileWithinRoot could create or truncate files outside root boundaries
High
GHSA-x82f-27x3-q89c
was published
for
openclaw
(npm)
Mar 2, 2026
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
Moderate
CVE-2026-27128
was published
for
craftcms/cms
(Composer)
Feb 23, 2026
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
High
CVE-2026-27127
was published
for
craftcms/cms
(Composer)
Feb 23, 2026
Indico has Server-Side Request Forgery (SSRF) in multiple places
Moderate
CVE-2026-25738
was published
for
indico
(pip)
Feb 17, 2026
Mattermost doesn't properly validate channel membership at the time of data retrieval
Low
CVE-2026-20796
was published
for
github.com/mattermost/mattermost-server
(Go)
Feb 13, 2026
@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses
Critical
CVE-2026-25641
was published
for
@nyariv/sandboxjs
(npm)
Feb 5, 2026
n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users
Critical
CVE-2026-25052
was published
for
n8n
(npm)
Feb 4, 2026
miniserve affected by a TOCTOU and symlink race vulnerability
Moderate
CVE-2025-67124
was published
for
miniserve
(Rust)
Jan 23, 2026
Keycloak does not validate and update refresh token usage atomically
Low
CVE-2026-1035
was published
for
org.keycloak:keycloak-services
(Maven)
Jan 21, 2026
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
High
CVE-2026-23950
was published
for
tar
(npm)
Jan 21, 2026
Turbo Frame responses can restore stale session cookies
Low
CVE-2025-66803
was published
for
@hotwired/turbo
(npm)
Jan 20, 2026
Outray cli is vulnerable to race conditions in tunnels creation
Moderate
CVE-2026-22820
was published
for
outray
(npm)
Jan 13, 2026
filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Moderate
CVE-2026-22701
was published
for
filelock
(pip)
Jan 13, 2026
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
Moderate
CVE-2025-69211
was published
for
@nestjs/platform-fastify
(npm)
Dec 30, 2025
filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
Moderate
CVE-2025-68146
was published
for
filelock
(pip)
Dec 16, 2025
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Moderate
CVE-2025-49558
was published
for
magento/community-edition
(Composer)
Aug 12, 2025
containerd allows host filesystem access on pull
High
CVE-2025-47290
was published
for
github.com/containerd/containerd/v2
(Go)
May 21, 2025
Rack session gets restored after deletion
Moderate
CVE-2025-46336
was published
for
rack-session
(RubyGems)
May 8, 2025
Rack session gets restored after deletion
Moderate
CVE-2025-32441
was published
for
rack
(RubyGems)
May 8, 2025
ProTip!
Advisories are also available from the
GraphQL API