GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
52 advisories
Filter by severity
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
High
CVE-2026-55487
was published
for
pnpm
(npm)
Jun 26, 2026
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
High
GHSA-v3f4-w7r7-v3hm
was published
for
@zenalexa/unicli
(npm)
Jun 19, 2026
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
High
CVE-2026-55660
was published
for
@tinacms/app
(npm)
Jun 19, 2026
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
High
GHSA-v52w-28xh-v562
was published
for
@kozou/api
(npm)
Jun 19, 2026
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
High
CVE-2026-6734
was published
for
undici
(npm)
Jun 19, 2026
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Moderate
CVE-2026-9595
was published
for
webpack-dev-server
(npm)
Jun 17, 2026
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass
High
CVE-2026-50168
was published
for
@angular/platform-server
(npm)
Jun 15, 2026
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects
Moderate
CVE-2026-48022
was published
for
@hapi/wreck
(npm)
Jun 11, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
High
CVE-2026-46701
was published
for
network-ai
(npm)
May 21, 2026
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport
High
GHSA-fvh2-gm75-j4j7
was published
for
dynoxide
(npm)
May 18, 2026
SillyTavern has Authentication Bypass via SSO Header Injection
Critical
CVE-2026-44649
was published
for
sillytavern
(npm)
May 12, 2026
@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
Moderate
GHSA-qhh4-458h-xwh2
was published
for
@cyclonedx/cdxgen
(npm)
May 8, 2026
OpenClaw: Slack thread context could include messages from non-allowlisted senders
Low
CVE-2026-41358
was published
for
openclaw
(npm)
May 4, 2026
Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders
Low
GHSA-7hrg-5w46-5r2x
was published
for
openclaw
(npm)
Apr 24, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
High
GHSA-gv2f-q4wp-fvh5
was published
for
openclaw
(npm)
Apr 24, 2026
•
withdrawn
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
High
CVE-2026-41886
was published
for
locize
(npm)
Apr 22, 2026
Directus: Missing Cross-Origin Opener Policy
High
CVE-2026-35408
was published
for
directus
(npm)
Apr 4, 2026
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Moderate
CVE-2026-34083
was published
for
signalk-server
(npm)
Apr 3, 2026
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration
High
CVE-2026-41393
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
Low
CVE-2026-41347
was published
for
openclaw
(npm)
Apr 3, 2026
Electron: Incorrect origin passed to permission request handler for iframe requests
Moderate
CVE-2026-34777
was published
for
electron
(npm)
Apr 3, 2026
OpenClaw: Matrix thread root and reply context bypass sender allowlist
Low
CVE-2026-41376
was published
for
openclaw
(npm)
Apr 2, 2026
GraphQL API endpoint ignores CORS origin restriction
Moderate
CVE-2026-34373
was published
for
parse-server
(npm)
Mar 30, 2026
@grackle-ai/server has Missing WebSocket Origin Header Validation
High
GHSA-w3hv-x4fp-6h6j
was published
for
@grackle-ai/server
(npm)
Mar 25, 2026
ProTip!
Advisories are also available from the
GraphQL API