GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
11,776 advisories
Filter by severity
OpenClaw: Node pairing reconnection could confuse approval scope state
High
GHSA-83w9-h5wv-j9xm
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates
High
GHSA-hw9r-h9mr-4jff
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
High
GHSA-mhq8-78pj-5j79
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: QQBot native approval buttons did not enforce configured approver identity
High
CVE-2026-35630
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
High
CVE-2026-53814
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Control UI locality spoofing could mint a durable admin device token
High
CVE-2026-53817
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
High
GHSA-rggc-m335-3wvj
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw's marketplace runtime extension metadata could point at unscanned payloads
High
CVE-2026-53810
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Shell wrapper argv could change between approval and execution
High
GHSA-2j8v-hwgc-x698
was published
for
Openclaw
(npm)
Jul 2, 2026
OpenClaw: Exec approval display truncation could hide the command being approved
High
GHSA-xww8-gqvh-92x9
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Message read actions could skip channel allowlist checks
High
CVE-2026-53815
was published
for
openclaw
(npm)
Jul 2, 2026
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
High
CVE-2026-50143
was published
for
@apify/actors-mcp-server
(npm)
Jul 1, 2026
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
High
CVE-2026-50138
was published
for
goshs.de/goshs/v2
(Go)
Jul 1, 2026
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
High
CVE-2026-53712
was published
for
com.ongres.scram:scram-client
(Maven)
Jul 1, 2026
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution
High
CVE-2026-50163
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
High
CVE-2026-50151
was published
for
oras.land/oras-go/v2
(Go)
Jul 1, 2026
Keycloak has privilege escalation via improper scope mapping enforcement
High
CVE-2026-9795
was published
for
org.keycloak:keycloak-services
(Maven)
Jul 1, 2026
Rancher has over-inclusive team membership expansion in GitHub App authentication provider
High
CVE-2026-41053
was published
for
github.com/rancher/rancher
(Go)
Jul 1, 2026
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components
High
CVE-2026-44937
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent
High
CVE-2026-44938
was published
for
github.com/rancher/fleet
(Go)
Jul 1, 2026
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass
High
CVE-2026-49998
was published
for
github.com/centrifugal/centrifugo
(Go)
Jul 1, 2026
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call
High
GHSA-wjjj-24cx-f28g
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects
High
GHSA-q729-696q-g9pq
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation
High
GHSA-4vgr-h27g-cf9p
was published
for
surrealdb
(Rust)
Jul 1, 2026
SurrealDB: HTTP /rpc `sessions` method leaks attached session UUIDs, enabling full session hijack by anonymous callers
High
GHSA-5qfp-32cf-69jh
was published
for
surrealdb
(Rust)
Jul 1, 2026
ProTip!
Advisories are also available from the
GraphQL API