Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

25 advisories

Loading
@agenticmail/mcp Missing Authentication for Critical Function High
GHSA-63gr-g7jc-v8rg was published for @agenticmail/mcp (npm) Jun 1, 2026
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface High
GHSA-7hgr-7h44-33w2 was published for camofox-mcp (npm) May 19, 2026
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools High
CVE-2026-44895 was published for @yoda.digital/gitlab-mcp-server (npm) May 9, 2026
Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls High
CVE-2026-42856 was published for network-ai (npm) May 5, 2026
232-323 Credited to 232-323 and 2REBCat 2REBCat 2REBCat
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
gabiudrescu Credited to gabiudrescu
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode High
GHSA-xfqj-r5qw-8g4j was published for @paperclipai/server (npm) Apr 16, 2026
sagilayani Credited to sagilayani
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise High
CVE-2026-41273 was published for flowise (npm) Apr 16, 2026
melonattacker Credited to melonattacker
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport High
GHSA-75hx-xj24-mqrw was published for n8n-mcp (npm) Apr 10, 2026
yotampe-pluto Credited to yotampe-pluto
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket High
CVE-2026-39363 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, CodeAnt-AI-Security, tronglinh23, and bluwy CodeAnt-AI-Security CodeAnt-AI-Security
tronglinh23 tronglinh23 bluwy bluwy
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication High
GHSA-cxcw-jm67-3wwp was published for openclaw (npm) Mar 21, 2026 withdrawn
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
Flowise Missing Authentication on NVIDIA NIM Endpoints High
CVE-2026-30824 was published for flowise (npm) Mar 6, 2026
tenbbughunters Credited to tenbbughunters
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure High
CVE-2026-32041 was published for openclaw (npm) Mar 2, 2026
OpenClaw has an authentication bypass in sandbox browser bridge server High
CVE-2026-28468 was published for openclaw (npm) Feb 18, 2026
jackhax Credited to jackhax
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests High
CVE-2026-26319 was published for openclaw (npm) Feb 17, 2026
p80n-sec Credited to p80n-sec
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust) High
CVE-2026-29613 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access High
CVE-2026-28458 was published for moltbot (npm) Feb 17, 2026
johnatzeropath Credited to johnatzeropath, LeftenantZero, and yueyueL LeftenantZero LeftenantZero
yueyueL yueyueL
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply High
CVE-2026-25593 was published for openclaw (npm) Feb 4, 2026
hackerman70000 Credited to hackerman70000
FUXA contains an Unrestricted File Upload vulnerability High
CVE-2025-69981 was published for fuxa-server (npm) Feb 3, 2026
FUXA contains an insecure default configuration vulnerability High
CVE-2025-69970 was published for fuxa-server (npm) Feb 3, 2026
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution High
CVE-2026-22812 was published for opencode-ai (npm) Jan 13, 2026
CyberShadow Credited to CyberShadow
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change High
GHSA-fjh6-8679-9pch was published for flowise-ui (npm) Nov 14, 2025
mbiesiad Credited to mbiesiad
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials) High
GHSA-x39m-3393-3qp4 was published for flowise-ui (npm) Nov 14, 2025
mbiesiad Credited to mbiesiad
Better Auth: Unauthenticated API key creation through api-key plugin High
CVE-2025-61928 was published for better-auth (npm) Oct 9, 2025
etiennelunetta Credited to etiennelunetta
Withdrawn Advisory: Lunary Improper Authentication vulnerability High
CVE-2024-6582 was published for lunary (npm) Sep 13, 2024 withdrawn
vincelwt Credited to vincelwt
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database