Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

11,776 advisories

Loading
OpenClaw: Node pairing reconnection could confuse approval scope state High
GHSA-83w9-h5wv-j9xm was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates High
GHSA-hw9r-h9mr-4jff was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion High
GHSA-mhq8-78pj-5j79 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: QQBot native approval buttons did not enforce configured approver identity High
CVE-2026-35630 was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority High
CVE-2026-53814 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Control UI locality spoofing could mint a durable admin device token High
CVE-2026-53817 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers High
GHSA-rggc-m335-3wvj was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw's marketplace runtime extension metadata could point at unscanned payloads High
CVE-2026-53810 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Shell wrapper argv could change between approval and execution High
GHSA-2j8v-hwgc-x698 was published for Openclaw (npm) Jul 2, 2026
OpenClaw: Exec approval display truncation could hide the command being approved High
GHSA-xww8-gqvh-92x9 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Message read actions could skip channel allowlist checks High
CVE-2026-53815 was published for openclaw (npm) Jul 2, 2026
samchodev Credited to samchodev
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token High
CVE-2026-50143 was published for @apify/actors-mcp-server (npm) Jul 1, 2026
EQSTLab Credited to EQSTLab and 232-323 232-323 232-323
goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags High
CVE-2026-50138 was published for goshs.de/goshs/v2 (Go) Jul 1, 2026
black-shadow-007 Credited to black-shadow-007
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms High
CVE-2026-53712 was published for com.ongres.scram:scram-client (Maven) Jul 1, 2026
KEIJOT Credited to KEIJOT and jorsol jorsol jorsol
`oras-go` tar extraction: Hardlink entry with relative Linkname escapes extract dir via process CWD resolution High
CVE-2026-50163 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
anvanster Credited to anvanster
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header High
CVE-2026-50151 was published for oras.land/oras-go/v2 (Go) Jul 1, 2026
1seal Credited to 1seal
Keycloak has privilege escalation via improper scope mapping enforcement High
CVE-2026-9795 was published for org.keycloak:keycloak-services (Maven) Jul 1, 2026
Rancher has over-inclusive team membership expansion in GitHub App authentication provider High
CVE-2026-41053 was published for github.com/rancher/rancher (Go) Jul 1, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Rancher Fleet has Unauthenticated Webhook: Regex Injection via Unsanitized Repository URL Components High
CVE-2026-44937 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent High
CVE-2026-44938 was published for github.com/rancher/fleet (Go) Jul 1, 2026
Centrifugo's dynamic JWKS key cache keyed only by `kid` allows cross-issuer JWT authentication bypass High
CVE-2026-49998 was published for github.com/centrifugal/centrifugo (Go) Jul 1, 2026
sondt99 Credited to sondt99
SurrealDB has unauthenticated remote DoS via malformed RPC `use` call High
GHSA-wjjj-24cx-f28g was published for surrealdb (Rust) Jul 1, 2026
SurrealDB has Denial of Service in JSON parser due to nested objects High
GHSA-q729-696q-g9pq was published for surrealdb (Rust) Jul 1, 2026
DarkaMaul Credited to DarkaMaul
SurrealDB: HTTP RPC Session Race Condition Allows Privilege Escalation High
GHSA-4vgr-h27g-cf9p was published for surrealdb (Rust) Jul 1, 2026
addcontent Credited to addcontent
addcontent Credited to addcontent
ProTip! Advisories are also available from the GraphQL API