GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
4,026 advisories
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
Moderate
CVE-2026-39961
was published
for
github.com/aiven/aiven-operator
(Go)
Apr 10, 2026
Vikunja vulnerable to Privilege Escalation via Project Reparenting
High
CVE-2026-35595
was published
for
code.vikunja.io/api
(Go)
Apr 10, 2026
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
Low
GHSA-4f8g-77mw-3rxc
was published
for
openclaw
(npm)
Apr 9, 2026
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
Moderate
GHSA-67mf-f936-ppxf
was published
for
openclaw
(npm)
Apr 9, 2026
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
High
CVE-2026-35607
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Apr 8, 2026
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
Moderate
GHSA-5hff-46vh-rxmw
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send
Low
GHSA-767m-xrhc-fxm7
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
Moderate
GHSA-3q42-xmxv-9vfr
was published
for
openclaw
(npm)
Apr 7, 2026
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Critical
CVE-2026-34989
was published
for
ci4-cms-erp/ci4ms
(Composer)
Apr 3, 2026
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing
High
GHSA-gg9v-mgcp-v6m7
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
Moderate
GHSA-9gp8-hjxr-6f34
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes
Moderate
GHSA-mhgq-xpfq-6r66
was published
for
openclaw
(npm)
Apr 2, 2026
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution
High
CVE-2026-34528
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 31, 2026
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send
High
CVE-2026-35621
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
Critical
CVE-2026-35663
was published
for
openclaw
(npm)
Mar 27, 2026
Ella Core has Privilege Escalation via Database Restore by NetworkManager role
High
CVE-2026-33906
was published
for
github.com/ellanetworks/core
(Go)
Mar 26, 2026
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
Critical
CVE-2026-35639
was published
for
openclaw
(npm)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API