Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

52 advisories

Loading
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
kulesy Credited to kulesy
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse High
CVE-2026-6734 was published for undici (npm) Jun 19, 2026
ChALkeR Credited to ChALkeR, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass High
CVE-2026-50168 was published for @angular/platform-server (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, josephperrott, and 0xEr3n AndrewKushnir AndrewKushnir
josephperrott josephperrott 0xEr3n 0xEr3n
@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects Moderate
CVE-2026-48022 was published for @hapi/wreck (npm) Jun 11, 2026
SnailSploit Credited to SnailSploit
purpshell Credited to purpshell and SheIITear SheIITear SheIITear
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret High
CVE-2026-46701 was published for network-ai (npm) May 21, 2026
232-323 Credited to 232-323 and min8282 min8282 min8282
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport High
GHSA-fvh2-gm75-j4j7 was published for dynoxide (npm) May 18, 2026
hicksy Credited to hicksy
SillyTavern has Authentication Bypass via SSO Header Injection Critical
CVE-2026-44649 was published for sillytavern (npm) May 12, 2026
kirakira-dev Credited to kirakira-dev
@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry Moderate
GHSA-qhh4-458h-xwh2 was published for @cyclonedx/cdxgen (npm) May 8, 2026
OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
CVE-2026-41358 was published for openclaw (npm) May 4, 2026
AntAISecurityLab Credited to AntAISecurityLab
Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
GHSA-7hrg-5w46-5r2x was published for openclaw (npm) Apr 24, 2026 withdrawn
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow Moderate
CVE-2026-34083 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration High
CVE-2026-41393 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Low
CVE-2026-41347 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Electron: Incorrect origin passed to permission request handler for iframe requests Moderate
CVE-2026-34777 was published for electron (npm) Apr 3, 2026
OpenClaw: Matrix thread root and reply context bypass sender allowlist Low
CVE-2026-41376 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
@grackle-ai/server has Missing WebSocket Origin Header Validation High
GHSA-w3hv-x4fp-6h6j was published for @grackle-ai/server (npm) Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API