Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

21 advisories

Loading
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
kulesy Credited to kulesy
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse High
CVE-2026-6734 was published for undici (npm) Jun 19, 2026
ChALkeR Credited to ChALkeR, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass High
CVE-2026-50168 was published for @angular/platform-server (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, josephperrott, and 0xEr3n AndrewKushnir AndrewKushnir
josephperrott josephperrott 0xEr3n 0xEr3n
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret High
CVE-2026-46701 was published for network-ai (npm) May 21, 2026
232-323 Credited to 232-323 and min8282 min8282 min8282
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport High
GHSA-fvh2-gm75-j4j7 was published for dynoxide (npm) May 18, 2026
hicksy Credited to hicksy
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration High
CVE-2026-41393 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
@grackle-ai/server has Missing WebSocket Origin Header Validation High
GHSA-w3hv-x4fp-6h6j was published for @grackle-ai/server (npm) Mar 25, 2026
yianworks Credited to yianworks
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function High
CVE-2026-26861 was published for clevertap-web-sdk (npm) Feb 27, 2026
Feathers has an origin validation bypass via prefix matching High
CVE-2026-27192 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass High
CVE-2025-59845 was published for @apollo/explorer (npm) Sep 26, 2025
ekzyis Credited to ekzyis
Flowise Cors Misconfiguration in packages/server/src/index.ts High
CVE-2024-36421 was published for flowise (npm) Aug 5, 2024
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability High
CVE-2024-26135 was published for meshcentral (npm) Feb 21, 2024
Overly permissive origin policy High
CVE-2023-49803 was published for @koa/cors (npm) Dec 11, 2023
PawelJ-PL Credited to PawelJ-PL
Remote code execution in Eclipse Theia High
CVE-2021-34435 was published for @theia/mini-browser (npm) Sep 2, 2021
ProTip! Advisories are also available from the GraphQL API