Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

77 advisories

Loading
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention Moderate
GHSA-9q82-xgwf-vj6h was published for @apollo/server (npm) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status Moderate
GHSA-ppwq-6v66-5m6j was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction Moderate
CVE-2026-29066 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint Moderate
CVE-2026-32237 was published for @backstage/plugin-scaffolder-backend (npm) Mar 12, 2026
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause Moderate
CVE-2026-32098 was published for parse-server (npm) Mar 12, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Duplicate Advisory: OpenClaw safeBins file-existence oracle information disclosure Moderate
GHSA-xjj9-2w6f-jg55 was published for openclaw (npm) Mar 12, 2026 withdrawn
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash Moderate
CVE-2026-32094 was published for shescape (npm) Mar 11, 2026
anyzy2003 Credited to anyzy2003 and ericcornelissen ericcornelissen ericcornelissen
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint Moderate
GHSA-jc5m-wrp2-qq38 was published for flowise (npm) Mar 5, 2026
tenbbughunters Credited to tenbbughunters
OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection Moderate
GHSA-jjgj-cpp9-cvpv was published for openclaw (npm) Mar 4, 2026
NucleiAv Credited to NucleiAv
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images Moderate
CVE-2026-32002 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state Moderate
GHSA-6g25-pc82-vfwp was published for openclaw (npm) Mar 3, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw skills.status could leak secrets to operator.read clients Moderate
CVE-2026-26326 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction Moderate
CVE-2026-25475 was published for openclaw (npm) Feb 4, 2026
jasonsutter87 Credited to jasonsutter87 and evanotero evanotero evanotero
jsPDF has Shared State Race Condition in addJS Plugin Moderate
CVE-2026-24040 was published for jspdf (npm) Feb 2, 2026
KarimTantawey Credited to KarimTantawey
Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter) Moderate
CVE-2026-24473 was published for hono (npm) Jan 27, 2026
kilkat Credited to kilkat and JungJoonWoo JungJoonWoo JungJoonWoo
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints Moderate
CVE-2025-68273 was published for signalk-server (npm) Jan 2, 2026
NextAuthjs Email misdelivery Vulnerability Moderate
GHSA-5jpx-9hw9-2fx4 was published for next-auth (npm) Oct 29, 2025
rootxjs Credited to rootxjs
Directus' exact version number is exposed by the OpenAPI Spec Moderate
CVE-2025-53887 was published for directus (npm) Jul 15, 2025
br41nslug Credited to br41nslug
Directus tokens are not redacted in flow logs, exposing session credentials to all admin Moderate
CVE-2025-53886 was published for directus (npm) Jul 15, 2025
licitdev Credited to licitdev
Cloudflare Vite plugin exposes secrets over the built-in dev server Moderate
CVE-2025-59427 was published for @cloudflare/vite-plugin (npm) Jul 8, 2025
Cherry Credited to Cherry
Information Disclosure via Flags override link Moderate
CVE-2025-46332 was published for @vercel/flags (npm) May 2, 2025
Vite has an `server.fs.deny` bypass with an invalid `request-target` Moderate
CVE-2025-32395 was published for vite (npm) Apr 11, 2025
do9gy-msec Credited to do9gy-msec and sw0rd1ight sw0rd1ight sw0rd1ight
Vite allows server.fs.deny to be bypassed with .svg or relative paths Moderate
CVE-2025-31486 was published for vite (npm) Apr 4, 2025
HSwift Credited to HSwift, Iuhsssss, kikayli, sw0rd1ight, do9gy-msec, and Onetpaer Iuhsssss Iuhsssss
kikayli kikayli sw0rd1ight sw0rd1ight do9gy-msec do9gy-msec Onetpaer Onetpaer
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query Moderate
CVE-2025-31125 was published for vite (npm) Mar 31, 2025
Iuhsssss Credited to Iuhsssss
Directus `search` query parameter allows enumeration of non permitted fields Moderate
CVE-2025-30352 was published for directus (npm) Mar 26, 2025
hanneskuettner Credited to hanneskuettner and moritzgvt moritzgvt moritzgvt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database