Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

186 advisories

Loading
Vercel: Non-interactive mode includes CLI arguments in suggested command output Moderate
CVE-2026-44479 was published for vercel (npm) May 7, 2026
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods High
CVE-2026-42047 was published for inngest (npm) May 5, 2026
benhylak Credited to benhylak
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs Moderate
GHSA-x3h8-jrgh-p8jx was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs High
CVE-2026-41278 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Sensitive Data Leak in public-chatbotConfig High
CVE-2026-41266 was published for flowise (npm) Apr 16, 2026
DenizParlak Credited to DenizParlak
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions Moderate
CVE-2026-39857 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API Moderate
CVE-2026-33888 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets Moderate
GHSA-r4q5-vmmm-2653 was published for follow-redirects (npm) Apr 14, 2026
Den-Sec Credited to Den-Sec
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel Moderate
CVE-2026-39412 was published for liquidjs (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// Moderate
CVE-2026-40045 was published for openclaw (npm) Apr 7, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients Moderate
CVE-2026-41339 was published for openclaw (npm) Apr 7, 2026
topsec-bunney Credited to topsec-bunney
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling Moderate
CVE-2026-39365 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, Ochk0, and bluwy Ochk0 Ochk0
bluwy bluwy
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket High
CVE-2026-39363 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, CodeAnt-AI-Security, tronglinh23, and bluwy CodeAnt-AI-Security CodeAnt-AI-Security
tronglinh23 tronglinh23 bluwy bluwy
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries High
CVE-2026-35442 was published for directus (npm) Apr 4, 2026
Directus: Sensitive fields exposed in revision history Moderate
CVE-2026-39943 was published for directus (npm) Apr 4, 2026
Directus: GraphQL Schema SDL Disclosure Setting Moderate
CVE-2026-35413 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research and odgrso odgrso odgrso
Signal K Server: Arbitrary Prototype Read via `from` Field Bypass Low
CVE-2026-35038 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability Moderate
CVE-2026-41335 was published for openclaw (npm) Apr 3, 2026
topsec-bunney Credited to topsec-bunney
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get Moderate
CVE-2026-41385 was published for openclaw (npm) Apr 2, 2026
ccreater222 Credited to ccreater222, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure High
GHSA-jccr-rrw2-vc8h was published for openclaw (npm) Mar 31, 2026
nicky-cc Credited to nicky-cc
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention Moderate
GHSA-9q82-xgwf-vj6h was published for @apollo/server (npm) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database