Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

26,244 advisories

Loading
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs Moderate
CVE-2026-27576 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming High
CVE-2026-2473 was published for google-cloud-aiplatform (pip) Feb 20, 2026
Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS) High
CVE-2026-2472 was published for google-cloud-aiplatform (pip) Feb 20, 2026
Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion) Moderate
CVE-2026-27482 was published for ray (pip) Feb 20, 2026
qi-scape
Credited to qi-scape
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection Moderate
CVE-2026-27568 was published for wwbn/avideo (Composer) Feb 20, 2026
arkmarta
Credited to arkmarta
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused Moderate
CVE-2026-27492 was published for lettermint (npm) Feb 20, 2026
Traefik affected by TLS ClientAuth Bypass on HTTP/3 Critical
GHSA-gv8r-9rw9-9697 was published for github.com/traefik/traefik (Go) Feb 20, 2026
rbqvq
Credited to rbqvq
OpenClaw hardened cron webhook delivery against SSRF Moderate
CVE-2026-27488 was published for openclaw (npm) Feb 20, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw: Reject symlinks in local skill packaging script Moderate
CVE-2026-27485 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows Low
CVE-2026-27484 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Sync-in Server has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-67438 was published for @sync-in/server (npm) Feb 20, 2026
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames Moderate
CVE-2026-27480 was published for static-web-server (Rust) Feb 20, 2026
naoyashiga joseluisq
Credited to naoyashiga and joseluisq
Fickling has a detection bypass via stdlib network-protocol constructors Low
GHSA-83pf-v6qq-pwmr was published for fickling (pip) Feb 20, 2026
NucleiAv
Credited to NucleiAv
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names Critical
CVE-2026-25896 was published for fast-xml-parser (npm) Feb 20, 2026
Ochk0
Credited to Ochk0
bn.js affected by an infinite loop Moderate
CVE-2026-2739 was published for bn.js (npm) Feb 20, 2026
Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped Low
CVE-2026-24122 was published for github.com/sigstore/cosign (Go) Feb 19, 2026
1seal
Credited to 1seal
Centrifugo v6.6.0 dependency vulnerabilities Moderate
GHSA-j9wf-6r2x-hqmx was published for github.com/centrifugal/centrifugo/v6 (Go) Feb 19, 2026
samir-is-here
Credited to samir-is-here
OpenClaw safeBins file-existence oracle information disclosure Moderate
GHSA-6c9j-x93c-rw6j was published for openclaw (npm) Feb 19, 2026
nedlir
Credited to nedlir
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir
Credited to nedlir
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() High
CVE-2026-27206 was published for zumba/json-serializer (Composer) Feb 19, 2026
TheDeepOpc jrbasso
cjsaylor
Credited to TheDeepOpc, jrbasso, and cjsaylor
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration Critical
GHSA-6qr9-g2xw-cw92 was published for github.com/dagu-org/dagu (Go) Feb 19, 2026
ByamB4
Credited to ByamB4
OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace High
GHSA-r5fq-947m-xm57 was published for openclaw (npm) Feb 19, 2026
p80n-sec
Credited to p80n-sec
Flask session does not add `Vary: Cookie` header when accessed in some ways Low
CVE-2026-27205 was published for flask (pip) Feb 19, 2026
shouryaj98
Credited to shouryaj98
Pannellum has a XSS vulnerability in hot spot attributes Moderate
CVE-2026-27210 was published for pannellum (npm) Feb 19, 2026
lumin9ry SUT0L
Visvge
Credited to lumin9ry, SUT0L, and Visvge
Werkzeug safe_join() allows Windows special device names Moderate
CVE-2026-27199 was published for werkzeug (pip) Feb 19, 2026
alimezar
Credited to alimezar
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database