GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
20 advisories
TorchGeo Remote Code Execution Vulnerability
High
CVE-2024-49048
was published
for
torchgeo
(pip)
Apr 1, 2026
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`
High
GHSA-5r8f-96gm-5j6g
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
High
GHSA-6xg4-82hv-cp6f
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
High
GHSA-5h2w-qmfp-ggp6
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send
High
GHSA-94pw-c6m8-p9p9
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
High
GHSA-h4jx-hjr3-fhgc
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers
High
GHSA-qm2m-28pf-hgjw
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding
High
GHSA-9p93-7j67-5pc2
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting
High
GHSA-74wf-h43j-vvmj
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw has Inconsistent Host Exec Environment Override Sanitization
High
GHSA-39pp-xp36-q6mg
was published
for
openclaw
(npm)
Mar 26, 2026
ZeptoClaw: Path boundary checks bypass via symlink, TOCTOU, and hardlink
High
CVE-2026-32232
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data
High
CVE-2026-32231
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
zeptoclaw has Android device shell blocklist bypass via argument permutation
High
GHSA-hhjv-jq77-cmvx
was published
for
zeptoclaw
(Rust)
Mar 5, 2026
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
High
CVE-2026-32030
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
High
CVE-2026-32036
was published
for
openclaw
(npm)
Mar 3, 2026
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
High
GHSA-97f8-7cmv-76j2
was published
for
picklescan
(pip)
Feb 18, 2026
OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension
High
CVE-2026-28451
was published
for
openclaw
(npm)
Feb 18, 2026
OpenClaw has a LFI in BlueBubbles media path handling
High
CVE-2026-29611
was published
for
openclaw
(npm)
Feb 18, 2026
OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension
High
CVE-2026-26321
was published
for
openclaw
(npm)
Feb 17, 2026
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
High
CVE-2023-49781
was published
for
nocodb
(npm)
May 13, 2024
ProTip!
Advisories are also available from the
GraphQL API