GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
21 advisories
Filter by severity
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
High
CVE-2026-55487
was published
for
pnpm
(npm)
Jun 26, 2026
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
High
GHSA-v3f4-w7r7-v3hm
was published
for
@zenalexa/unicli
(npm)
Jun 19, 2026
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
High
CVE-2026-55660
was published
for
@tinacms/app
(npm)
Jun 19, 2026
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
High
GHSA-v52w-28xh-v562
was published
for
@kozou/api
(npm)
Jun 19, 2026
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
High
CVE-2026-6734
was published
for
undici
(npm)
Jun 19, 2026
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass
High
CVE-2026-50168
was published
for
@angular/platform-server
(npm)
Jun 15, 2026
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
High
CVE-2026-46701
was published
for
network-ai
(npm)
May 21, 2026
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport
High
GHSA-fvh2-gm75-j4j7
was published
for
dynoxide
(npm)
May 18, 2026
Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
High
GHSA-gv2f-q4wp-fvh5
was published
for
openclaw
(npm)
Apr 24, 2026
•
withdrawn
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
High
CVE-2026-41886
was published
for
locize
(npm)
Apr 22, 2026
Directus: Missing Cross-Origin Opener Policy
High
CVE-2026-35408
was published
for
directus
(npm)
Apr 4, 2026
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration
High
CVE-2026-41393
was published
for
openclaw
(npm)
Apr 3, 2026
@grackle-ai/server has Missing WebSocket Origin Header Validation
High
GHSA-w3hv-x4fp-6h6j
was published
for
@grackle-ai/server
(npm)
Mar 25, 2026
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode
High
CVE-2026-32302
was published
for
openclaw
(npm)
Mar 12, 2026
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function
High
CVE-2026-26861
was published
for
clevertap-web-sdk
(npm)
Feb 27, 2026
Feathers has an origin validation bypass via prefix matching
High
CVE-2026-27192
was published
for
@feathersjs/authentication-oauth
(npm)
Feb 19, 2026
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
High
CVE-2025-59845
was published
for
@apollo/explorer
(npm)
Sep 26, 2025
Flowise Cors Misconfiguration in packages/server/src/index.ts
High
CVE-2024-36421
was published
for
flowise
(npm)
Aug 5, 2024
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
High
CVE-2024-26135
was published
for
meshcentral
(npm)
Feb 21, 2024
Remote code execution in Eclipse Theia
High
CVE-2021-34435
was published
for
@theia/mini-browser
(npm)
Sep 2, 2021
ProTip!
Advisories are also available from the
GraphQL API