Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

306 advisories

Loading
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read Low
GHSA-5ghc-98wh-gwwf was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Low
GHSA-5f9p-f3w2-fwch was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage Low
GHSA-wm8r-w8pf-2v6w was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
NocoDB has Plaintext Storage of Shared View Passwords Low
CVE-2026-28360 was published for nocodb (npm) Mar 2, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint Low
CVE-2026-28358 was published for nocodb (npm) Mar 2, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only) Low
GHSA-fpg4-jhqr-589c was published for @sveltejs/kit (npm) Feb 28, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and jviide jviide jviide
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder Low
CVE-2026-27942 was published for fast-xml-parser (npm) Feb 26, 2026
julianladisch Credited to julianladisch
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation Low
CVE-2026-22866 was published for @ensdomains/ens-contracts (npm) Feb 25, 2026
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows Low
CVE-2026-27484 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
devalue affected by CPU and memory amplification from sparse arrays Low
GHSA-33hq-fvwr-56pm was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Hono added timing comparison hardening in basicAuth and bearerAuth Low
GHSA-gq3j-xvxp-8hrf was published for hono (npm) Feb 19, 2026
Exagone313 Credited to Exagone313
Unauthorized npm publish of cline@2.3.0 with modified postinstall script Low
GHSA-9ppg-jx86-fqw7 was published for cline (npm) Feb 19, 2026
AdnaneKhan Credited to AdnaneKhan
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch Low
GHSA-chm2-m3w2-wcxm was published for clawdbot (npm) Feb 17, 2026
vincentkoc Credited to vincentkoc
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers Low
GHSA-g27f-9qjv-22pm was published for openclaw (npm) Feb 17, 2026
pkerkhofs Credited to pkerkhofs
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions Low
CVE-2026-24764 was published for openclaw (npm) Feb 17, 2026
KonstantinMirin Credited to KonstantinMirin
qs's arrayLimit bypass in comma parsing allows denial of service Low
CVE-2026-2391 was published for qs (npm) Feb 12, 2026
SharokhAtaie Credited to SharokhAtaie and ljharb ljharb ljharb
xcode-mcp-server vulnerable to Command Injection Low
CVE-2026-2178 was published for xcode-mcp-server (npm) Feb 8, 2026
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior Low
CVE-2025-68458 was published for webpack (npm) Feb 5, 2026
HanJeouk Credited to HanJeouk and alexander-akait alexander-akait alexander-akait
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence Low
CVE-2025-68157 was published for webpack (npm) Feb 5, 2026
HanJeouk Credited to HanJeouk and alexander-akait alexander-akait alexander-akait
Qwik City Open Redirect via fixTrailingSlash Low
CVE-2026-25149 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen Credited to wodzen
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream Low
CVE-2026-25224 was published for fastify (npm) Feb 2, 2026
mcollina Credited to mcollina and onlybugs05 onlybugs05 onlybugs05
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy Low
CVE-2026-25050 was published for @vendure/core (npm) Jan 30, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database