Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

67 advisories

Loading
Authorization Bypass in parse-path High
CVE-2022-0624 was published for parse-path (npm) Jun 29, 2022
Machine-In-The-Middle in lix High
CVE-2020-10800 was published for lix (npm) Apr 16, 2020
Authorization Bypass Through User-Controlled Key in urijs Moderate
CVE-2022-0613 was published for urijs (npm) Feb 17, 2022
Authorization Bypass Through User-Controlled Key in url-parse Critical
CVE-2022-0686 was published for url-parse (npm) Feb 21, 2022
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR) Critical
CVE-2024-22206 was published for @clerk/nextjs (npm) Jan 12, 2024
nikosdouvlis Credited to nikosdouvlis, SokratisVidros, colinclerk, agis, braden-clerk, and brkalow SokratisVidros SokratisVidros
colinclerk colinclerk agis agis braden-clerk braden-clerk brkalow brkalow
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation High
CVE-2024-29194 was published for @oneuptime/common-server (npm) Mar 25, 2024
saunders-jake Credited to saunders-jake
@strapi/plugin-content-manager leaks data via relations via the Admin Panel Low
CVE-2024-29181 was published for @strapi/plugin-content-manager (npm) Jun 12, 2024
felixdkatt Credited to felixdkatt, derrickmehaffy, Bassel17, and christiancp100 derrickmehaffy derrickmehaffy
Bassel17 Bassel17 christiancp100 christiancp100
Next.js Cache Poisoning High
CVE-2024-46982 was published for next (npm) Sep 17, 2024
Escalation of privileges in @sap/xssec Critical
CVE-2023-49583 was published for @sap/xssec (npm) Dec 12, 2023
leon-vg Credited to leon-vg
Duplicate Advisory: Improper access control in Directus Moderate
GHSA-q83v-hq3j-4pq3 was published for directus (npm) Aug 15, 2024 withdrawn
dchocoboo Credited to dchocoboo
Directus has an insecure object reference via PATH presets Moderate
CVE-2024-6534 was published for directus (npm) Aug 27, 2024
Strapi Allows Unauthorized Access to Private Fields via parms.lookup High
CVE-2024-56143 was published for @strapi/core (npm) Oct 16, 2025
Boegie19 Credited to Boegie19, alexandrebodin, and derrickmehaffy alexandrebodin alexandrebodin
derrickmehaffy derrickmehaffy
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage Moderate
CVE-2025-63700 was published for @clerk/clerk-js (npm) Nov 20, 2025
Better Auth Passkey Plugin allows passkey deletion through IDOR High
GHSA-4vcf-q4xf-f48m was published for @better-auth/passkey (npm) Nov 25, 2025
goksan Credited to goksan
EverShop is vulnerable to Unauthorized Order Information Access (IDOR) Low
CVE-2025-12919 was published for @evershop/evershop (npm) Nov 9, 2025
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header Moderate
CVE-2025-69202 was published for axios-cache-interceptor (npm) Dec 30, 2025
kishore03109 Credited to kishore03109 and arthurfiorette arthurfiorette arthurfiorette
StudioCMS has Authorization Bypass Through User-Controlled Key Moderate
CVE-2026-24134 was published for studiocms (npm) Jan 27, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing Moderate
CVE-2026-1664 was published for agents (npm) Feb 3, 2026
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. Moderate
CVE-2022-0691 was published for url-parse (npm) Feb 22, 2022
jhutchings1 Credited to jhutchings1, Kenny2github, y-yagi, Haxatron, and ljharb Kenny2github Kenny2github
y-yagi y-yagi Haxatron Haxatron ljharb ljharb
payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments) Moderate
CVE-2026-25574 was published for payload (npm) Feb 5, 2026
s2ongmo Credited to s2ongmo
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing High
GHSA-hv93-r4j3-q65f was published for openclaw (npm) Feb 17, 2026
alpernae Credited to alpernae
Authorization bypass in url-parse Moderate
CVE-2022-0512 was published for url-parse (npm) Feb 15, 2022
ljharb Credited to ljharb
url-parse Incorrectly parses URLs that include an '@' Moderate
CVE-2022-0639 was published for url-parse (npm) Feb 18, 2022
Haxatron Credited to Haxatron and ljharb ljharb ljharb
NocoDB Missing Ownership Validation in MCP Token Operations Moderate
CVE-2026-28361 was published for nocodb (npm) Mar 2, 2026
bugbunny-research Credited to bugbunny-research
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption Moderate
GHSA-j26j-7qc4-3mrf was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database