Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,652
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,859
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,661 advisories

Loading
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
GHSA-5h3g-6xhh-rg6p was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root High
GHSA-wppj-c6mr-83jj was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
changedetection.io project has an XXE vulnerability High
CVE-2026-41895 was published for changedetection.io (pip) May 4, 2026
FORIMOC Credited to FORIMOC
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force) High
CVE-2026-41893 was published for signalk-server (npm) May 4, 2026
CI4MS has a Deactivated User Session Bypass (active=0) Moderate
CVE-2026-41891 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess Moderate
CVE-2026-41890 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
Distribution's tag deletion bypasses `storage.delete.enabled` configuration Moderate
CVE-2026-41888 was published for github.com/distribution/distribution (Go) May 4, 2026
joonas Credited to joonas
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs Moderate
GHSA-x3h8-jrgh-p8jx was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
GHSA-r6xh-pqhr-v4xh was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts Moderate
GHSA-55cf-xx38-4p9p was published for openclaw (npm) May 4, 2026
qi-scape Credited to qi-scape
OpenClaw's ACP child sessions inherit subagent security envelope constraints Moderate
GHSA-q3jj-46pq-826r was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw validates Zalo outbound photo URLs through the SSRF guard Moderate
GHSA-2hh7-c75g-qj2r was published for openclaw (npm) May 4, 2026
foodlook Credited to foodlook
Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow) High
CVE-2026-42311 was published for pillow (pip) May 4, 2026
EthanKim88 Credited to EthanKim88
Pillow has a PDF Parsing Trailer Infinite Loop (DoS) Moderate
CVE-2026-42310 was published for pillow (pip) May 4, 2026
kexinoh Credited to kexinoh
Pillow has an integer overflow when processing fonts Moderate
CVE-2026-42308 was published for pillow (pip) May 4, 2026
Pillow has a heap buffer overflow with nested list coordinates Moderate
CVE-2026-42309 was published for pillow (pip) May 4, 2026
pyp2spec is Vulnerable to Code Injection High
CVE-2026-42301 was published for pyp2spec (pip) May 4, 2026
gouldnicholas Credited to gouldnicholas
Argo vulnerable to exposure of artifact repository credentials High
CVE-2026-42295 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Masamuneee Credited to Masamuneee, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo has incomplete fix for CVE-2026-31892: hostNetwork, securityContext, serviceAccountName bypass templateReferencing Strict/Secure High
CVE-2026-42296 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
vnykmshr Credited to vnykmshr, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo Vulnerable to Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor High
CVE-2026-42294 was published for github.com/argoproj/argo-workflows/v3 (Go) May 4, 2026
Rudra2018 Credited to Rudra2018, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go) Low
CVE-2026-42183 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
Wernerina Credited to Wernerina, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Argo has Missing Authorization in its Sync ConfigMap Provider High
CVE-2026-42297 was published for github.com/argoproj/argo-workflows/v4 (Go) May 4, 2026
nebojsaj1726 Credited to nebojsaj1726, Joibel, and isubasinghe Joibel Joibel
isubasinghe isubasinghe
Kirby CMS's system API endpoint leaks installed version and license data to authenticated users Moderate
CVE-2026-42051 was published for getkirby/cms (Composer) May 4, 2026
HuajiHD Credited to HuajiHD and 0x-bala 0x-bala 0x-bala
Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions Moderate
CVE-2026-42174 was published for getkirby/cms (Composer) May 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database