Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
45
GitHub Actions
47
Go
3,309
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,530
Pub
12
RubyGems
1,009
Rust
1,195
Swift
51
Unreviewed advisories
All unreviewed
5,000+

75 advisories

Loading
sanitize-html Information Exposure vulnerability Moderate
CVE-2024-21501 was published for sanitize-html (npm) Feb 24, 2024
oscerd Credited to oscerd and krassowski krassowski krassowski
Directus version number disclosure Moderate
CVE-2024-27296 was published for directus (npm) Mar 1, 2024
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images Moderate
CVE-2026-32002 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
Duplicate Advisory: OpenClaw safeBins file-existence oracle information disclosure Moderate
GHSA-xjj9-2w6f-jg55 was published for openclaw (npm) Mar 12, 2026 withdrawn
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint Moderate
CVE-2026-32237 was published for @backstage/plugin-scaffolder-backend (npm) Mar 12, 2026
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction Moderate
CVE-2026-29066 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause Moderate
CVE-2026-32098 was published for parse-server (npm) Mar 12, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash Moderate
CVE-2026-32094 was published for shescape (npm) Mar 11, 2026
anyzy2003 Credited to anyzy2003 and ericcornelissen ericcornelissen ericcornelissen
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint Moderate
GHSA-jc5m-wrp2-qq38 was published for flowise (npm) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection Moderate
GHSA-jjgj-cpp9-cvpv was published for openclaw (npm) Mar 4, 2026
NucleiAv Credited to NucleiAv
OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state Moderate
GHSA-6g25-pc82-vfwp was published for openclaw (npm) Mar 3, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw skills.status could leak secrets to operator.read clients Moderate
CVE-2026-26326 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction Moderate
CVE-2026-25475 was published for openclaw (npm) Feb 4, 2026
jasonsutter87 Credited to jasonsutter87 and evanotero evanotero evanotero
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat Credited to kilkat and JungJoonWoo JungJoonWoo JungJoonWoo
jsPDF has Shared State Race Condition in addJS Plugin Moderate
CVE-2026-24040 was published for jspdf (npm) Feb 2, 2026
KarimTantawey Credited to KarimTantawey
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query Moderate
CVE-2025-31125 was published for vite (npm) Mar 31, 2025
Iuhsssss Credited to Iuhsssss
Incorrect Permission Checking for GraphQL Subscriptions Moderate
CVE-2023-38503 was published for directus (npm) Jul 25, 2023
madc Credited to madc
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints Moderate
CVE-2025-68273 was published for signalk-server (npm) Jan 2, 2026
Exposure of Sensitive Information to an Unauthorized Actor in nanoid Moderate
CVE-2021-23566 was published for nanoid (npm) Jan 21, 2022
baptistecs Credited to baptistecs
MongoDB Driver may publish events containing authentication-related data Moderate
CVE-2021-32050 was published for github.com/mongodb/mongo-swift-driver (Composer) Aug 29, 2023
NextAuthjs Email misdelivery Vulnerability Moderate
GHSA-5jpx-9hw9-2fx4 was published for next-auth (npm) Oct 29, 2025
rootxjs Credited to rootxjs
Cloudflare Vite plugin exposes secrets over the built-in dev server Moderate
CVE-2025-59427 was published for @cloudflare/vite-plugin (npm) Jul 8, 2025
Cherry Credited to Cherry
Directus' exact version number is exposed by the OpenAPI Spec Moderate
CVE-2025-53887 was published for directus (npm) Jul 15, 2025
br41nslug Credited to br41nslug
Directus tokens are not redacted in flow logs, exposing session credentials to all admin Moderate
CVE-2025-53886 was published for directus (npm) Jul 15, 2025
licitdev Credited to licitdev
Passbolt Browser Extension leaks password information Moderate
CVE-2024-33669 was published for passbolt-browser-extension (npm) Apr 26, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database