Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
40
Go
2,981
Maven
5,000+
npm
4,635
NuGet
788
pip
4,321
Pub
12
RubyGems
986
Rust
1,133
Swift
49
Unreviewed advisories
All unreviewed
5,000+

26,077 advisories

Loading
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) High
CVE-2026-26278 was published for fast-xml-parser (npm) Feb 17, 2026
ByamB4
Credited to ByamB4
Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass High
CVE-2026-26275 was published for httpsig-hyper (Rust) Feb 17, 2026
divi255
Credited to divi255
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide High
CVE-2026-26267 was published for soroban-sdk-macros (Rust) Feb 17, 2026
leighmcculloch mootz12
nan-zellic dmkozh
Credited to leighmcculloch, mootz12, nan-zellic, and dmkozh
emp3r0r Affected by Concurrent Map Access DoS (panic/crash) High
CVE-2026-26201 was published for github.com/jm33-m0/emp3r0r/core (Go) Feb 17, 2026
xtle0o0
Credited to xtle0o0
Skill-scanner Unsecured Network Binding Vulnerability Moderate
CVE-2026-26057 was published for cisco-ai-skill-scanner (pip) Feb 17, 2026
RichardoC vineethsai7
Credited to RichardoC and vineethsai7
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization Critical
CVE-2026-26016 was published for pterodactyl/panel (Composer) Feb 17, 2026
duddnr0615k DaneEveritt
Credited to duddnr0615k and DaneEveritt
Indico Affected by Cross-Site-Scripting via material uploads Moderate
CVE-2026-25739 was published for indico (pip) Feb 17, 2026
dreyercito
Credited to dreyercito
Echo has a Windows path traversal via backslash in middleware.Static default filesystem Moderate
CVE-2026-25766 was published for github.com/labstack/echo/v5 (Go) Feb 17, 2026
shblue21 aldas
vishr
Credited to shblue21, aldas, and vishr
Indico has Server-Side Request Forgery (SSRF) in multiple places Moderate
CVE-2026-25738 was published for indico (pip) Feb 17, 2026
rahulgovind inkz
yueyueL
Credited to rahulgovind, inkz, and yueyueL
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href Moderate
CVE-2026-25500 was published for rack (RubyGems) Feb 17, 2026
thesmartshadow jeremyevans
ioquatix
Credited to thesmartshadow, jeremyevans, and ioquatix
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
Unauthenticated File Upload in Gogs Moderate
CVE-2026-25242 was published for gogs.io/gogs (Go) Feb 17, 2026
Gogs has a Protected Branch Deletion Bypass in Web Interface High
CVE-2026-25232 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor
Credited to spingARbor
Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs Moderate
CVE-2026-25229 was published for gogs.io/gogs (Go) Feb 17, 2026
spingARbor
Credited to spingARbor
Gogs Allows Cross-Repository Comment Deletion via DeleteComment Moderate
CVE-2026-25120 was published for gogs.io/gogs (Go) Feb 17, 2026
tenbbughunters
Credited to tenbbughunters
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions Low
CVE-2026-24764 was published for openclaw (npm) Feb 17, 2026
KonstantinMirin
Credited to KonstantinMirin
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change High
GHSA-hr7j-63v7-vj7g was published for github.com/pterodactyl/wings (Composer) Feb 17, 2026
KTOymep
Credited to KTOymep
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust) Moderate
GHSA-xc7w-v5x6-cc87 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw affected by SSRF in Image Tool Remote Fetch High
GHSA-56f2-hvwg-5743 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback Moderate
GHSA-qw99-grcx-4pvm was published for openclaw (npm) Feb 17, 2026
qi-scape
Credited to qi-scape
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes High
GHSA-3hcm-ggvf-rch5 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access High
GHSA-mr32-vwc2-5j6h was published for moltbot (npm) Feb 17, 2026
johnatzeropath LeftenantZero
yueyueL
Credited to johnatzeropath, LeftenantZero, and yueyueL
OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating High
GHSA-qj77-c3c8-9c3q was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw has an arbitrary transcript path file write via gateway sessionFile High
GHSA-64qx-vpxx-mvqf was published for openclaw (npm) Feb 17, 2026
tubadeligoz
Credited to tubadeligoz
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing High
GHSA-hv93-r4j3-q65f was published for openclaw (npm) Feb 17, 2026
alpernae
Credited to alpernae
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database