Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

23 advisories

Loading
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies Moderate
CVE-2026-9595 was published for webpack-dev-server (npm) Jun 17, 2026
bjohansebas Credited to bjohansebas and UlisesGascon UlisesGascon UlisesGascon
NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint Moderate
CVE-2026-53931 was published for nocodb (npm) Jun 17, 2026
p- Credited to p-
KEIJOT Credited to KEIJOT
Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities Moderate
CVE-2026-50169 was published for @angular/service-worker (npm) Jun 15, 2026
Yenya030 Credited to Yenya030, alan-agius4, JeanMeche, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
JeanMeche JeanMeche josephperrott josephperrott AndrewKushnir AndrewKushnir
Confused Deputy in Kubernetes Moderate
CVE-2020-8561 was published for k8s.io/kubernetes (Go) Sep 21, 2021
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection Moderate
CVE-2026-47122 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests Moderate
GHSA-4mhr-cxr4-2prm was published for openclaw (npm) May 11, 2026 withdrawn
Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts Moderate
GHSA-5jgm-f9wr-9qm7 was published for openclaw (npm) May 11, 2026 withdrawn
Duplicate Advisory: OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API Moderate
GHSA-8pf2-vj79-4wxg was published for openclaw (npm) Apr 28, 2026 withdrawn
Kratos has a Confused Deputy issue Moderate
CVE-2026-6993 was published for github.com/go-kratos/kratos/v2 (Go) Apr 25, 2026
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF Moderate
CVE-2025-62718 was published for axios (npm) Apr 9, 2026
AmeerAssadi Credited to AmeerAssadi, SwTan98, and jasonsaayman SwTan98 SwTan98
jasonsaayman jasonsaayman
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource Moderate
CVE-2026-39961 was published for github.com/aiven/aiven-operator (Go) Apr 10, 2026
AndresAIFR Credited to AndresAIFR
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path` Moderate
CVE-2026-33768 was published for @astrojs/vercel (npm) Mar 26, 2026
jp-soba Credited to jp-soba
OliveTin's RestartAction always runs actions as guest Moderate
CVE-2026-30225 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries Moderate
CVE-2025-68944 was published for code.gitea.io/gitea (Go) Dec 26, 2025
fastify-reply-from affected by bypass of reply forwarding Moderate
CVE-2025-66415 was published for @fastify/reply-from (npm) Dec 2, 2025
rozzilla Credited to rozzilla
marimo vulnerable to proxy abuse of /mpl/{port}/ Moderate
GHSA-xjv7-6w92-42r7 was published for marimo (pip) Oct 1, 2025
acepace Credited to acepace
Rack has a Possible Information Disclosure Vulnerability Moderate
CVE-2025-61780 was published for rack (RubyGems) Oct 10, 2025
leahneukirchen Credited to leahneukirchen, jeremyevans, matthewd, and ioquatix jeremyevans jeremyevans
matthewd matthewd ioquatix ioquatix
kro Confused Deputy vulnerability Moderate
CVE-2025-48710 was published for github.com/kro-run/kro (Go) Jun 4, 2025
Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull Moderate
CVE-2024-34068 was published for github.com/pterodactyl/wings (Go) May 3, 2024
TrixterTheTux Credited to TrixterTheTux and matthewpi matthewpi matthewpi
Jenkins Publisher Over CIFS Plugin confused deputy vulnerability Moderate
CVE-2018-1999038 was published for org.jenkins-ci.plugins:publish-over-cifs (Maven) May 14, 2022
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix Moderate
CVE-2020-5412 was published for org.springframework.cloud:spring-cloud-netflix (Maven) Apr 30, 2021
Unchecked hostname resolution could allow access to local network resources by users outside the local network Moderate
GHSA-6rg3-8h8x-5xfv was published for github.com/pterodactyl/wings (Go) Jun 23, 2021
ProTip! Advisories are also available from the GraphQL API