GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
29,215 advisories
Kimai: Username enumeration via timing on X-AUTH-USER
Low
GHSA-jrc6-fmhw-fpq2
was published
for
kimai/kimai
(Composer)
Apr 17, 2026
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
High
GHSA-rg3h-x3jw-7jm5
was published
for
praisonai
(pip)
Apr 17, 2026
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
Critical
GHSA-9qhq-v63v-fv3j
was published
for
praisonai
(pip)
Apr 17, 2026
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR
High
GHSA-8gmg-3w2q-65f4
was published
for
go.opentelemetry.io/obi
(Go)
Apr 17, 2026
Dapr: Service Invocation path traversal ACL bypass
High
GHSA-85gx-3qv6-4463
was published
for
github.com/dapr/dapr
(Go)
Apr 17, 2026
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
Moderate
GHSA-f7fh-qg34-x2xh
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure
Moderate
GHSA-jhpv-5j76-m56h
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: QQBot media tags could read arbitrary local files through reply text
High
GHSA-66r7-m7xm-v49h
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: busybox and toybox applet execution weakened exec approval binding
High
GHSA-2cq5-mf3v-mx44
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
High
GHSA-7jp6-r74r-995q
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Sandboxed agents could escape exec routing via host=node override
High
GHSA-736r-jwj6-4w23
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
Moderate
GHSA-536q-mj95-h29h
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads
Moderate
GHSA-qmwg-qprg-3j38
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins
High
GHSA-939r-rj45-g2rj
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
Moderate
GHSA-527m-976r-jf79
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
Moderate
GHSA-rj2p-j66c-mgqh
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
Moderate
GHSA-f3h5-h452-vp3j
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0
High
GHSA-525j-hqq2-66r4
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
High
GHSA-82qx-6vj7-p8m2
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser SSRF policy default allowed private-network navigation
Moderate
GHSA-53vx-pmqw-863c
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
Moderate
GHSA-xq94-r468-qwgj
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
Moderate
GHSA-2767-2q9v-9326
was published
for
openclaw
(npm)
Apr 17, 2026
ProTip!
Advisories are also available from the
GraphQL API