Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

67 advisories

Loading
n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints High
CVE-2026-45732 was published for n8n (npm) May 14, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-46441 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment High
CVE-2026-42863 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42862 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment High
CVE-2026-42861 was published for flowise (npm) May 14, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure Moderate
CVE-2026-42227 was published for n8n (npm) Apr 29, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
Duplicate Advisory: OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections Moderate
GHSA-f5fm-9jmp-c88r was published for openclaw (npm) Apr 28, 2026 withdrawn
OpenClaw: Hook mapping templates could bypass hook session-key opt-in Moderate
CVE-2026-45002 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials High
CVE-2026-41279 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) High
CVE-2026-41277 was published for flowise (npm) Apr 17, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise Critical
GHSA-3xx2-mqjm-hg9x was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association High
CVE-2026-41267 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
MCPHub has an authentication bypass Moderate
CVE-2025-13822 was published for @samanhappy/mcphub (npm) Apr 14, 2026
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections Moderate
CVE-2026-41372 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Directus: Path Traversal and Broken Access Control in File Management API High
CVE-2026-39942 was published for directus (npm) Apr 4, 2026
r3dpower Credited to r3dpower, pmins99, and odgrso pmins99 pmins99
odgrso odgrso
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist Moderate
CVE-2026-41406 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
CVE-2026-35617 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility High
GHSA-q2qc-744p-66r2 was published for openclaw (npm) Mar 29, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope Moderate
CVE-2026-35657 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
CVE-2026-35624 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. Moderate
CVE-2026-35670 was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no Moderate
CVE-2026-33724 was published for n8n (npm) Mar 25, 2026
kolega-ai-dev Credited to kolega-ai-dev
n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition High
CVE-2026-33663 was published for n8n (npm) Mar 25, 2026
tr4ce-ju Credited to tr4ce-ju
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens Low
CVE-2026-32638 was published for studiocms (npm) Mar 16, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database