Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

96 advisories

Loading
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation High
GHSA-4qq2-2j2x-x62c was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
FUXA provides guest and invalid-token access to protected read APIs in secure mode Moderate
CVE-2026-47718 was published for fuxa-server (npm) May 28, 2026
north-echo Credited to north-echo
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE Moderate
GHSA-wxw3-q3m9-c3jr was published for better-auth (npm) May 15, 2026
Jvr2022 Credited to Jvr2022 and alavesa alavesa alavesa
OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover Moderate
CVE-2026-44720 was published for openlearnx (npm) May 13, 2026
krrazee Credited to krrazee and 0x5t4l1n 0x5t4l1n 0x5t4l1n
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver Critical
CVE-2026-44351 was published for fast-jwt (npm) May 6, 2026
bhaswanthc Credited to bhaswanthc and SociableSteve SociableSteve SociableSteve
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy Moderate
CVE-2026-42041 was published for axios (npm) May 5, 2026
August829 Credited to August829
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Feishu webhook and card-action validation now fail closed Critical
CVE-2026-44109 was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints Critical
CVE-2026-41428 was published for @budibase/backend-core (npm) Apr 16, 2026
AyushParkara Credited to AyushParkara
Flowise: resetPassword Authentication Bypass Vulnerability High
CVE-2026-41276 was published for flowise (npm) Apr 16, 2026
zdi-disclosures Credited to zdi-disclosures
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
CVE-2026-41679 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header Moderate
CVE-2026-39411 was published for @lobehub/lobehub (npm) Apr 8, 2026
13ernkastel Credited to 13ernkastel
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets Low
GHSA-fqrj-m88p-qf3v was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials High
CVE-2026-41342 was published for openclaw (npm) Mar 31, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication Moderate
CVE-2026-35634 was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover High
CVE-2026-33665 was published for n8n (npm) Mar 25, 2026
weblover12 Credited to weblover12, 34selen, B0RI, and jh-hack 34selen 34selen
B0RI B0RI jh-hack jh-hack
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware High
CVE-2026-32730 was published for apostrophe (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
Parse Server affected by empty authData bypassing credential requirement on signup Moderate
CVE-2026-33042 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection High
CVE-2026-31975 was published for @siteboon/claude-code-ui (npm) Mar 11, 2026
Ethan-Yang-opcia Credited to Ethan-Yang-opcia, DhiyaneshGeek, and neo-ai-engineer DhiyaneshGeek DhiyaneshGeek
neo-ai-engineer neo-ai-engineer
Parse Server OAuth2 authentication adapter account takeover via identity spoofing High
CVE-2026-30967 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server missing audience validation in Keycloak authentication adapter High
CVE-2026-30949 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Feathers has an OAuth Callback Account Takeover issue Critical
CVE-2026-29792 was published for @feathersjs/authentication-oauth (npm) Mar 10, 2026
sofianeelhor Credited to sofianeelhor
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters Critical
CVE-2026-30863 was published for parse-server (npm) Mar 9, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens Moderate
GHSA-9r75-g2cr-3h76 was published for @workflow/core (npm) Mar 6, 2026
pranaygp Credited to pranaygp, andresriancho, and TooTallNate andresriancho andresriancho
TooTallNate TooTallNate
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database