GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
48 advisories
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF
High
CVE-2026-50132
was published
for
@budibase/server
(npm)
Jun 22, 2026
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
High
CVE-2026-53855
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Pairing-scoped device session could restore revoked node token authority
High
CVE-2026-53843
was published
for
openclaw
(npm)
Jun 18, 2026
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints
High
CVE-2026-54305
was published
for
n8n
(npm)
Jun 16, 2026
@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket
High
CVE-2026-48034
was published
for
@hulumi/policies
(npm)
Jun 10, 2026
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
High
CVE-2026-43945
was published
for
@frangoteam/fuxa
(npm)
May 26, 2026
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
High
CVE-2026-45707
was published
for
n8n-mcp
(npm)
May 18, 2026
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-46441
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
High
CVE-2026-42863
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-42862
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-42861
was published
for
flowise
(npm)
May 14, 2026
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
CVE-2026-44118
was published
for
openclaw
(npm)
May 4, 2026
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment
High
CVE-2026-41900
was published
for
openlearnx
(npm)
Apr 23, 2026
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
High
CVE-2026-33318
was published
for
@actual-app/sync-server
(npm)
Apr 23, 2026
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call
High
CVE-2026-41641
was published
for
@nocobase/plugin-collection-sql
(npm)
Apr 22, 2026
OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal
High
CVE-2026-35570
was published
for
@gitlawb/openclaude
(npm)
Apr 21, 2026
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0
High
GHSA-525j-hqq2-66r4
was published
for
openclaw
(npm)
Apr 17, 2026
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
High
CVE-2026-41277
was published
for
flowise
(npm)
Apr 17, 2026
Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email
High
GHSA-gqqj-85qm-8qhf
was published
for
paperclipai
(npm)
Apr 16, 2026
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
High
CVE-2026-41270
was published
for
flowise
(npm)
Apr 16, 2026
Vite: `server.fs.deny` bypassed with queries
High
CVE-2026-39364
was published
for
vite
(npm)
Apr 6, 2026
Directus: Path Traversal and Broken Access Control in File Management API
High
CVE-2026-39942
was published
for
directus
(npm)
Apr 4, 2026
ProTip!
Advisories are also available from the
GraphQL API