Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

18 advisories

Loading
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying Moderate
CVE-2025-64526 was published for @strapi/plugin-users-permissions (npm) May 13, 2026
adriatikii Credited to adriatikii and derrickmehaffy derrickmehaffy derrickmehaffy
@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes Moderate
CVE-2026-41213 was published for @node-oauth/oauth2-server (npm) Apr 16, 2026
KarimTantawey Credited to KarimTantawey, jankapunkt, and dhensby jankapunkt jankapunkt
dhensby dhensby
Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token Moderate
GHSA-59xc-5v89-r7pr was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Moderate
GHSA-r4c2-gq3j-7rpj was published for openclaw (npm) Apr 10, 2026 withdrawn
Duplicate Advisory: OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing Moderate
GHSA-rc8f-r29c-chr6 was published for openclaw (npm) Apr 10, 2026 withdrawn
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting Moderate
CVE-2026-41333 was published for openclaw (npm) Apr 3, 2026
kexinoh Credited to kexinoh
OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication Moderate
CVE-2026-33580 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication Moderate
GHSA-gm9m-x74r-8whg was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation Moderate
GHSA-cxfr-3qp8-hpmw was published for openclaw (npm) Mar 31, 2026 withdrawn
Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation Moderate
CVE-2026-34508 was published for openclaw (npm) Mar 31, 2026 withdrawn
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token Moderate
CVE-2026-35646 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Moderate
CVE-2026-35628 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing Moderate
CVE-2026-35623 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation Moderate
CVE-2026-34505 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OneUptime has WhatsApp Resend Verification Authorization Bypass Moderate
CVE-2026-30959 was published for @oneuptime/common (npm) Mar 10, 2026
Aryma-f4 Credited to Aryma-f4
OpenClaw's hooks count non-POST requests toward auth lockout Moderate
GHSA-6rmx-gvvg-vh6j was published for openclaw (npm) Mar 9, 2026
JNX03 Credited to JNX03
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains Moderate
CVE-2026-32025 was published for openclaw (npm) Mar 3, 2026
luz-oasis Credited to luz-oasis
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header Moderate
CVE-2025-66482 was published for misskey-js (npm) Dec 15, 2025
BoBeR182 Credited to BoBeR182 and saschanaz saschanaz saschanaz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database