GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
26 advisories
Filter by severity
AgenticMail: Cross-agent task authorization bypass in AgenticMail API
High
GHSA-hjwc-26pj-v3pm
was published
for
@agenticmail/api
(npm)
Jun 18, 2026
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
High
CVE-2026-45337
was published
for
better-auth
(npm)
Jun 4, 2026
n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
High
CVE-2026-45732
was published
for
n8n
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-46441
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
High
CVE-2026-42863
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-42862
was published
for
flowise
(npm)
May 14, 2026
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
High
CVE-2026-42861
was published
for
flowise
(npm)
May 14, 2026
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
High
CVE-2026-41279
was published
for
flowise
(npm)
Apr 17, 2026
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
High
CVE-2026-41277
was published
for
flowise
(npm)
Apr 17, 2026
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
High
CVE-2026-41267
was published
for
flowise
(npm)
Apr 16, 2026
Directus: Path Traversal and Broken Access Control in File Management API
High
CVE-2026-39942
was published
for
directus
(npm)
Apr 4, 2026
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility
High
GHSA-q2qc-744p-66r2
was published
for
openclaw
(npm)
Mar 29, 2026
n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition
High
CVE-2026-33663
was published
for
n8n
(npm)
Mar 25, 2026
StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
High
CVE-2026-30945
was published
for
studiocms
(npm)
Mar 11, 2026
StudioCMS has Privilege Escalation via Insecure API Token Generation
High
CVE-2026-30944
was published
for
studiocms
(npm)
Mar 10, 2026
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
High
CVE-2026-30920
was published
for
@oneuptime/common
(npm)
Mar 9, 2026
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
High
CVE-2026-30823
was published
for
flowise
(npm)
Mar 6, 2026
OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From
High
GHSA-2ch6-x3g4-7759
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
High
CVE-2026-28469
was published
for
clawdbot
(npm)
Feb 18, 2026
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing
High
GHSA-hv93-r4j3-q65f
was published
for
openclaw
(npm)
Feb 17, 2026
Better Auth Passkey Plugin allows passkey deletion through IDOR
High
GHSA-4vcf-q4xf-f48m
was published
for
@better-auth/passkey
(npm)
Nov 25, 2025
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
High
CVE-2024-56143
was published
for
@strapi/core
(npm)
Oct 16, 2025
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation
High
CVE-2024-29194
was published
for
@oneuptime/common-server
(npm)
Mar 25, 2024
Authorization Bypass in parse-path
High
CVE-2022-0624
was published
for
parse-path
(npm)
Jun 29, 2022
ProTip!
Advisories are also available from the
GraphQL API