Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

8,209 advisories

Loading
Wish has SCP Path Traversal that allows arbitrary file read/write Critical
GHSA-xjvp-7243-rg9h was published for charm.land/wish/v2 (Go) Apr 18, 2026
aymanbagabas Credited to aymanbagabas
Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment Low
GHSA-h39g-6x3c-7fq9 was published for Zio (NuGet) Apr 18, 2026
SUT0L Credited to SUT0L
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths Moderate
GHSA-f934-5rqf-xx47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Webchat media embedding enforces local-root containment for tool-result files High
GHSA-mr34-9552-qr95 was published for openclaw (npm) Apr 17, 2026
Kherrisan Credited to Kherrisan
OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR High
GHSA-8gmg-3w2q-65f4 was published for go.opentelemetry.io/obi (Go) Apr 17, 2026
MrAlias Credited to MrAlias and arminru arminru arminru
yard: Possible arbitrary path traversal and file access via yard server Moderate
GHSA-3jfp-46x4-xgfj was published for yard (RubyGems) Apr 17, 2026
Dapr: Service Invocation path traversal ACL bypass High
GHSA-85gx-3qv6-4463 was published for github.com/dapr/dapr (Go) Apr 17, 2026
cicoyle Credited to cicoyle and acroca acroca acroca
OpenClaw: QQBot media tags could read arbitrary local files through reply text High
GHSA-66r7-m7xm-v49h was published for openclaw (npm) Apr 17, 2026
feiyang666 Credited to feiyang666
OpenClaw: screen_record outPath bypassed workspace-only filesystem guard Moderate
GHSA-jf25-7968-h2h5 was published for openclaw (npm) Apr 17, 2026
OpenClaw: Discord event cover images bypassed sandbox media normalization Moderate
GHSA-c9h3-5p7r-mrjh was published for openclaw (npm) Apr 17, 2026
Telecaster2147 Credited to Telecaster2147
ByteDance DeerFlow before commit 2176b2b contains a path traversal and arbitrary file write... High Unreviewed
CVE-2026-40518 was published Apr 17, 2026
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to... High Unreviewed
CVE-2026-5710 was published Apr 17, 2026
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due... High Unreviewed
CVE-2026-3464 was published Apr 17, 2026
A vulnerability was found in prasathmani TinyFileManager up to 2.6. Affected is an unknown... Moderate Unreviewed
CVE-2026-6496 was published Apr 17, 2026
A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file ... Moderate Unreviewed
CVE-2026-6487 was published Apr 17, 2026
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read... High Unreviewed
CVE-2026-4659 was published Apr 17, 2026
A path traversal vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an... Moderate Unreviewed
CVE-2026-35496 was published Apr 17, 2026
The JetBackup – Backup, Restore & Migrate plugin for WordPress is vulnerable to Path Traversal... Moderate Unreviewed
CVE-2026-4853 was published Apr 17, 2026
@fastify/static vulnerable to path traversal in directory listing Moderate
CVE-2026-6410 was published for @fastify/static (npm) Apr 16, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider High
CVE-2026-40611 was published for github.com/go-acme/lego (Go) Apr 16, 2026
RealHurrison Credited to RealHurrison
Flowise: Path Traversal in Vector Store basePath Moderate
GHSA-w6v6-49gh-mc9w was published for flowise (npm) Apr 16, 2026
tenbbughunters Credited to tenbbughunters
Mako: Path traversal via double-slash URI prefix in TemplateLookup Moderate
GHSA-v92g-xgxw-vvmm was published for Mako (pip) Apr 16, 2026
0xHunSec Credited to 0xHunSec
Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix Moderate
GHSA-hf5p-q87m-crj7 was published for com.github.junrar:junrar (Maven) Apr 16, 2026
subbudvk Credited to subbudvk
PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart High
GHSA-533q-w4g6-5586 was published for psitransfer (npm) Apr 16, 2026
pyuysig Credited to pyuysig
Weblate: Prefix-Based Repository Boundary Check Bypass via Symlink/Junction Path Prefix Collision Moderate
CVE-2026-40256 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel and M9nx M9nx M9nx
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database