Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

322 advisories

Loading
Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths High
CVE-2026-39320 was published for signalk-server (npm) Apr 21, 2026
VashuVats Credited to VashuVats
OpenClaw: Voice-call realtime WebSocket accepted oversized frames High
GHSA-vw3h-q6xq-jjm5 was published for openclaw (npm) Apr 17, 2026
G0odUser Credited to G0odUser
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() High
CVE-2026-41324 was published for basic-ftp (npm) Apr 16, 2026
MaanVader Credited to MaanVader
@vitejs/plugin-rsc has a Denial of Service with React Server Components High
GHSA-v457-wxvj-p9w9 was published for @vitejs/plugin-rsc (npm) Apr 10, 2026
React Server Components have a Denial of Service Vulnerability High
CVE-2026-23869 was published for react-server-dom-parcel (npm) Apr 10, 2026
Zod jsVideoUrlParser vulnerable to ReDoS in util.js Moderate
CVE-2026-5986 was published for js-video-url-parser (npm) Apr 10, 2026
OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths Low
GHSA-25wv-8phj-8p7r was published for openclaw (npm) Apr 9, 2026
Telecaster2147 Credited to Telecaster2147
Axios HTTP/2 Session Cleanup State Corruption Vulnerability Moderate
CVE-2026-39865 was published for axios (npm) Apr 8, 2026
vmulas Credited to vmulas and sealonohana sealonohana sealonohana
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter Low
CVE-2026-34166 was published for liquidjs (npm) Apr 8, 2026
offset Credited to offset
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution High
CVE-2026-34148 was published for @fedify/fedify (npm) Apr 7, 2026
wrathsec Credited to wrathsec
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits Moderate
CVE-2026-35441 was published for directus (npm) Apr 4, 2026
liyander Credited to liyander
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
GHSA-2w79-r9g8-wmcr was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Moderate
GHSA-p464-m8x6-vhv8 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades Moderate
GHSA-f44p-c7w9-7xr7 was published for openclaw (npm) Mar 31, 2026
topsec-bunney Credited to topsec-bunney
Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions Moderate
CVE-2026-34404 was published for nuxt-og-image (npm) Mar 31, 2026
OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant) Moderate
CVE-2026-35665 was published for openclaw (npm) Mar 30, 2026
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation Moderate
CVE-2026-35640 was published for openclaw (npm) Mar 29, 2026
tdjackey Credited to tdjackey
path-to-regexp vulnerable to Denial of Service via sequential optional groups High
CVE-2026-4926 was published for path-to-regexp (npm) Mar 27, 2026
uug4na Credited to uug4na, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects Moderate
CVE-2026-34043 was published for serialize-javascript (npm) Mar 27, 2026
TomerAberbach Credited to TomerAberbach
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling Moderate
CVE-2026-35626 was published for openclaw (npm) Mar 26, 2026
SEORY0 Credited to SEORY0
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure High
CVE-2026-35633 was published for openclaw (npm) Mar 26, 2026
brace-expansion: Zero-step sequence causes process hang and memory exhaustion Moderate
CVE-2026-33750 was published for brace-expansion (npm) Mar 26, 2026
subhashdasyam Credited to subhashdasyam, katzj, and navgarcha katzj katzj
navgarcha navgarcha
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern High
CVE-2026-33287 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database