Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

54 advisories

Loading
chdanielmueller Credited to chdanielmueller
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
OpenClaw: Combined POSIX shell options could confuse exec revalidation High
CVE-2026-53806 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Node pairing reconnection could confuse approval scope state High
GHSA-83w9-h5wv-j9xm was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse Low
CVE-2026-6733 was published for undici (npm) Jun 19, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials Low
CVE-2026-54327 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
n8n-mcp webhook and API client paths has an authenticated SSRF High
CVE-2026-44694 was published for n8n-mcp (npm) May 8, 2026
fg0x0 Credited to fg0x0
Duplicate Advisory: OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root Moderate
GHSA-6f72-9gxx-98mj was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
GHSA-frr5-j3mh-h9ch was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding Moderate
GHSA-w7rc-vvgx-pj45 was published for openclaw (npm) May 6, 2026 withdrawn
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
CVE-2026-44113 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root Moderate
CVE-2026-44112 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection Moderate
GHSA-cw28-63x4-37c3 was published for openclaw (npm) Apr 24, 2026 withdrawn
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
CVE-2026-41272 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
OpenClaw: TOCTOU read in exec script preflight Low
CVE-2026-43529 was published for openclaw (npm) Apr 16, 2026
kikayli Credited to kikayli
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
CVE-2026-41296 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses Moderate
GHSA-rm5c-4rmf-vvhw was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path Moderate
GHSA-xxj4-96ph-g6j6 was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution Moderate
GHSA-wwrj-437c-ppq4 was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
GHSA-wmgj-hrx3-23gj was published for openclaw (npm) Mar 29, 2026 withdrawn
Parse Server has an MFA single-use token bypass via concurrent authData login requests Low
CVE-2026-34224 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Handlebars.js has a Property Access Validation Bypass in container.lookup Low
GHSA-442j-39wm-28r2 was published for handlebars (npm) Mar 29, 2026
TinkAnet Credited to TinkAnet
OpenClaw may have stale policy enforcement for queued node actions Low
CVE-2026-35648 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API