Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11,776 advisories

Loading
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling High
CVE-2026-49253 was published for electerm (npm) Jul 2, 2026
hibrian827 Credited to hibrian827
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields High
CVE-2026-49250 was published for @conform-to/dom (npm) Jul 2, 2026
jviide Credited to jviide
tonghuaroot Credited to tonghuaroot
@asymmetric-effort/specifyjs: URL parse failure silently allows request High
CVE-2026-50288 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
offset Credited to offset
Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap High
CVE-2026-50279 was published for craftcms/cms (Composer) Jul 2, 2026
larlarua Credited to larlarua
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent High
CVE-2026-44454 was published for github.com/coder/coder (Go) Jul 2, 2026
avivdon Credited to avivdon
mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function High
CVE-2026-52854 was published for mediawiki/maps (Composer) Jul 2, 2026
SomeMWDev Credited to SomeMWDev
tonghuaroot Credited to tonghuaroot
chaitanyagarware Credited to chaitanyagarware
OpenClaw: Native command authorization could skip owner-command enforcement High
GHSA-p73f-w79w-jqr5 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks High
GHSA-j472-gf56-x589 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Trusted retry endpoint checks could match hostname prefixes High
GHSA-77q5-rr5v-x43q was published for openclaw (npm) Jul 2, 2026
ccy41928-del Credited to ccy41928-del
OpenClaw: Telegram interactive callbacks could skip commands.allowFrom High
GHSA-w5ww-7chg-mxcq was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Matrix allowFrom could bind to mutable display names High
CVE-2026-53811 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance High
CVE-2026-53816 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Combined POSIX shell options could confuse exec revalidation High
CVE-2026-53806 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Fake package roots could influence memory-core artifact loading High
CVE-2026-53813 was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows High
CVE-2026-53819 was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes High
GHSA-xr4f-mjxj-w6w5 was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
OpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing High
GHSA-qjpc-qf9m-xwmr was published for openclaw (npm) Jul 2, 2026
adactum Credited to adactum and handmilkingsoftware handmilkingsoftware handmilkingsoftware
OpenClaw: Slack allowFrom could bind to mutable display names High
GHSA-c29c-2q9c-pc86 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: QQBot streaming command could mutate config without explicit allowFrom High
GHSA-jvm4-4j77-39p6 was published for openclaw (npm) Jul 2, 2026
anshumanbh Credited to anshumanbh
ProTip! Advisories are also available from the GraphQL API