Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,175
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

67 advisories

Loading
Turbo: Login callback CSRF/session fixation Moderate
CVE-2026-45773 was published for turbo (npm) May 19, 2026
DanStuartDept Credited to DanStuartDept, jpleyden98, and ToshB jpleyden98 jpleyden98
ToshB ToshB
Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF High
CVE-2026-50132 was published for @budibase/server (npm) Jun 22, 2026
VishaaLlKumaaRr Credited to VishaaLlKumaaRr
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions Moderate
GHSA-mxjx-28vx-xjjj was published for network-ai (npm) Jun 19, 2026
EchoSkorJjj Credited to EchoSkorJjj
React Router: Potential CSRF via PUT/PATCH/DELETE document requests Low
CVE-2026-53663 was published for @remix-run/server-runtime (npm) Jun 15, 2026
gasbugs Credited to gasbugs
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker Moderate
CVE-2026-48147 was published for @budibase/backend-core (npm) Jun 12, 2026
b-hermes Credited to b-hermes
OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS Moderate
CVE-2026-42073 was published for @gitlawb/openclaude (npm) May 12, 2026
xancyber Credited to xancyber
React Router has CSRF issue in Action/Server Action Request Processing Moderate
CVE-2026-22030 was published for @remix-run/server-runtime (npm) Jan 8, 2026
Oceandust Credited to Oceandust
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport High
GHSA-fvh2-gm75-j4j7 was published for dynoxide (npm) May 18, 2026
hicksy Credited to hicksy
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE Moderate
GHSA-wxw3-q3m9-c3jr was published for better-auth (npm) May 15, 2026
Jvr2022 Credited to Jvr2022 and alavesa alavesa alavesa
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions Moderate
CVE-2026-42190 was published for rwsdk (npm) Apr 24, 2026
mthx Credited to mthx
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Low
CVE-2026-41347 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Duplicate Advisory: OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Low
GHSA-2xp4-qhr4-xqm2 was published for openclaw (npm) Apr 24, 2026 withdrawn
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection High
GHSA-2r2p-4cgf-hv7h was published for engramx (npm) Apr 22, 2026
gabiudrescu Credited to gabiudrescu
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests High
CVE-2026-39371 was published for rwsdk (npm) Apr 8, 2026
zebbern Credited to zebbern
Payload has a CSRF Protection Bypass in Authentication Flow Moderate
CVE-2026-34749 was published for payload (npm) Apr 1, 2026
mongo-express Cross-site Request Forgery vulnerability Moderate
CVE-2023-52555 was published for mongo-express (npm) Mar 1, 2024
Next.js: null origin can bypass Server Actions CSRF checks Moderate
CVE-2026-27978 was published for next (npm) Mar 17, 2026
Ghost has incomplete CSRF protections around OTC use High
CVE-2026-29784 was published for ghost (npm) Mar 5, 2026
OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution Moderate
CVE-2026-28477 was published for openclaw (npm) Feb 18, 2026
Mercurius: Incorrect Content-Type parsing can lead to CSRF attack Moderate
CVE-2025-64166 was published for mercurius (npm) Mar 5, 2026
simone-sanfratello Credited to simone-sanfratello
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data Moderate
CVE-2025-47204 was published for bootstrap-multiselect (npm) May 13, 2025
abrom Credited to abrom
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint High
CVE-2026-27609 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza Credited to mtrezza
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data) Moderate
CVE-2026-25155 was published for @builder.io/qwik-city (npm) Feb 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database