Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

16 advisories

Loading
electerm allows unauthorized users to execute arbitrary commands Critical
CVE-2020-23256 was published for electerm (npm) Jan 20, 2023
filipeom Credited to filipeom
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input Critical
CVE-2026-42074 was published for openclaude (npm) May 12, 2026
Rosayxy Credited to Rosayxy
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes Critical
CVE-2026-46339 was published for 9router (npm) May 19, 2026
sondt99 Credited to sondt99
SillyTavern has Authentication Bypass via SSO Header Injection Critical
CVE-2026-44649 was published for sillytavern (npm) May 12, 2026
kirakira-dev Credited to kirakira-dev
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability Critical
CVE-2026-44211 was published for cline (npm) May 8, 2026
sagilayani Credited to sagilayani
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint Critical
GHSA-wvr4-3wq4-gpc5 was published for mcp-bridge (npm) Mar 19, 2026
riczardo Credited to riczardo
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated Critical
CVE-2026-28472 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Parse Dashboard has incomplete authentication on AI Agent endpoint Critical
CVE-2026-27595 was published for parse-dashboard (npm) Feb 25, 2026
ByamB4 Credited to ByamB4 and mtrezza mtrezza mtrezza
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints Critical
CVE-2026-27584 was published for @actual-app/sync-server (npm) Feb 24, 2026
iamsilk Credited to iamsilk and MatissJanis MatissJanis MatissJanis
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen Credited to wodzen
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API Critical
CVE-2026-25895 was published for fuxa-server (npm) Feb 5, 2026
wodzen Credited to wodzen
FUXA Unauthenticated Exposure of Plaintext Database Credentials Critical
CVE-2026-25751 was published for fuxa-server (npm) Feb 5, 2026
wodzen Credited to wodzen
REC in MCPJam inspector due to HTTP Endpoint exposes Critical
CVE-2026-23744 was published for @mcpjam/inspector (npm) Jan 16, 2026
c2an1 Credited to c2an1
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover Critical
CVE-2025-58434 was published for flowise (npm) Sep 12, 2025
zaddy6 Credited to zaddy6 and arthurgervais arthurgervais arthurgervais
Flowise OS command remote code execution Critical
CVE-2025-8943 was published for flowise (npm) Aug 14, 2025
MCP Inspector proxy server lacks authentication between the Inspector client and proxy Critical
CVE-2025-49596 was published for @modelcontextprotocol/inspector (npm) Jun 13, 2025
JLLeitschuh Credited to JLLeitschuh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database