Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,722
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,946
Pub
13
RubyGems
1,055
Rust
1,338
Swift
54
Unreviewed advisories
All unreviewed
5,000+

35 advisories

Loading
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes High
GHSA-cwj3-vqpp-pmxr was published for openclaw (npm) May 5, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw's ACP child sessions inherit subagent security envelope constraints Moderate
GHSA-q3jj-46pq-826r was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Moderate
GHSA-c28g-vh7m-fm7v was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Agent gateway config mutations could change protected operator settings Moderate
GHSA-7jm2-g593-4qrc was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy Moderate
GHSA-qrp5-gfw2-gxv4 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
GHSA-57r2-h2wj-g887 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy Moderate
GHSA-72q8-jcmc-97wx was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Hook mapping templates could bypass hook session-key opt-in Moderate
GHSA-2xcp-x87w-q377 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths Moderate
GHSA-f934-5rqf-xx47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation High
GHSA-xmxx-7p24-h892 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Sandboxed agents could escape exec routing via host=node override High
CVE-2026-42434 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage Moderate
GHSA-536q-mj95-h29h was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement Moderate
CVE-2026-43573 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows High
CVE-2026-43571 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Workspace .env could inject OpenClaw runtime-control variables Moderate
CVE-2026-43531 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input Moderate
CVE-2026-43534 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks Low
CVE-2026-43572 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay Low
GHSA-r77c-2cmr-7p47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Heartbeat owner downgrade missed local async exec completion events Moderate
GHSA-g375-h3v6-4873 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events Moderate
CVE-2026-43566 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation Moderate
CVE-2026-42436 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases High
CVE-2026-43528 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Collect-mode queue batches could reuse the last sender authorization context Moderate
CVE-2026-43535 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database