Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

56 advisories

Loading
pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle High
CVE-2026-55487 was published for pnpm (npm) Jun 26, 2026
chi Middleware Vulnerable to Potential IP Spoofing via `X-Forwarded-For` Header in `Request.RemoteAddr` Resolution High
GHSA-9g5q-2w5x-hmxf was published for github.com/go-chi/chi/middleware (Go) Jun 25, 2026
convto Credited to convto
Anki's local HTTP server does not sufficiently validate requests High
GHSA-869j-r97x-hx2g was published for aqt (pip) Jun 19, 2026
taviso Credited to taviso
LangSmith SDK TracingMiddleware: Arbitrary server-side file read High
GHSA-f4xh-w4cj-qxq8 was published for langsmith (pip) Jun 19, 2026
Ryu7zz Credited to Ryu7zz
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover High
CVE-2026-55660 was published for @tinacms/app (npm) Jun 19, 2026
kulesy Credited to kulesy
Blocky DNSSEC validation bypass and validation-cache scope pollution High
GHSA-x845-2f78-7v36 was published for github.com/0xERR0R/blocky (Go) Jun 19, 2026
RealHurrison Credited to RealHurrison
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure) High
GHSA-v52w-28xh-v562 was published for @kozou/api (npm) Jun 19, 2026
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse High
CVE-2026-6734 was published for undici (npm) Jun 19, 2026
ChALkeR Credited to ChALkeR, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools High
GHSA-vmf9-xx9w-86wx was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit High
CVE-2026-54007 was published for open-webui (pip) Jun 17, 2026
Aikido-Security Credited to Aikido-Security, JorianWoltjer, grumpinout1, and Classic298 JorianWoltjer JorianWoltjer
grumpinout1 grumpinout1 Classic298 Classic298
@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass High
CVE-2026-50168 was published for @angular/platform-server (npm) Jun 15, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, josephperrott, and 0xEr3n AndrewKushnir AndrewKushnir
josephperrott josephperrott 0xEr3n 0xEr3n
Appsmith: Configuration-dependent origin validation bypass in password reset and email verification link generation High
GHSA-j9gf-vw2f-9hrw was published for com.appsmith:server (Maven) Jun 12, 2026
0xmrma Credited to 0xmrma
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret High
CVE-2026-46701 was published for network-ai (npm) May 21, 2026
232-323 Credited to 232-323 and min8282 min8282 min8282
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport High
GHSA-fvh2-gm75-j4j7 was published for dynoxide (npm) May 18, 2026
hicksy Credited to hicksy
Dozzle's Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpointsbypasses authentication High
CVE-2026-44985 was published for github.com/amir20/dozzle (Go) May 11, 2026
q1uf3ng Credited to q1uf3ng
rmcp Streamable HTTP server transport has a DNS rebinding vulnerability High
CVE-2026-42559 was published for rmcp (Rust) May 6, 2026
JLLeitschuh Credited to JLLeitschuh
Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials High
GHSA-gv2f-q4wp-fvh5 was published for openclaw (npm) Apr 24, 2026 withdrawn
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
CVE-2026-41886 was published for locize (npm) Apr 22, 2026
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses High
CVE-2026-41057 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
Java-SDK has a DNS Rebinding Vulnerability High
CVE-2026-35568 was published for io.modelcontextprotocol.sdk:mcp-core (Maven) Apr 7, 2026
JLLeitschuh Credited to JLLeitschuh
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration High
CVE-2026-41393 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
@grackle-ai/server has Missing WebSocket Origin Header Validation High
GHSA-w3hv-x4fp-6h6j was published for @grackle-ai/server (npm) Mar 25, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database