Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

591 advisories

Loading
Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface` Moderate
CVE-2026-48808 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters Moderate
CVE-2026-48807 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys Moderate
CVE-2026-48806 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php` Low
CVE-2026-48805 was published for twig/twig (Composer) Jun 30, 2026
fabpot Credited to fabpot
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape Critical
CVE-2026-50564 was published for github.com/fission/fission (Go) Jun 30, 2026
0xVijay Credited to 0xVijay and sanketsudake sanketsudake sanketsudake
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover Critical
CVE-2026-50545 was published for github.com/fission/fission (Go) Jun 30, 2026
j311yl0v3u Credited to j311yl0v3u, b0b0haha, and sanketsudake b0b0haha b0b0haha
sanketsudake sanketsudake
OpenAM Authenticated RCE via Groovy Sandbox Escape High
CVE-2026-47424 was published for org.openidentityplatform.openam:openam-scripting (Maven) Jun 29, 2026
wodzen Credited to wodzen
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
nono-py has proxy-only network fallback bypass on older Linux kernels Moderate
GHSA-72w7-mf9g-733p was published for nono-py (pip) Jun 26, 2026
lukehinds Credited to lukehinds
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails Moderate
CVE-2026-54762 was published for github.com/traefik/traefik/v3 (Go) Jun 19, 2026
vvvvvvvvvvel Credited to vvvvvvvvvvel
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns High
CVE-2026-53853 was published for openclaw (npm) Jun 18, 2026
amwhoi Credited to amwhoi
OpenClaw: Skill-command dispatch could skip before-tool-call hooks Low
CVE-2026-53845 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable High
GHSA-6jcq-6546-qrrw was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining High
GHSA-5jv7-2mjm-h6qj was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentLoop onToolCall approval runs after tool execution High
GHSA-h2w2-v7j6-xqm4 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining High
GHSA-vjv9-7m7j-h833 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI codeMode sandbox escape via Function constructor Critical
GHSA-vmmj-pfw7-fjwp was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients High
GHSA-gqmf-56h7-rrpf was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder Moderate
GHSA-pv2j-rghr-v5r9 was published for praisonaiagents (pip) Jun 18, 2026
SnailSploit Credited to SnailSploit
PraisonAI recipe.run_stream skips dangerous-tool policy enforcement High
GHSA-v847-hxxw-3pxg was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
ProTip! Advisories are also available from the GraphQL API