GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
75 advisories
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
High
CVE-2026-45717
was published
for
@budibase/server
(npm)
May 15, 2026
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
High
CVE-2026-45395
was published
for
open-webui
(npm)
May 14, 2026
FlowiseAI: Vector Store No Permission Checks
High
CVE-2026-46444
was published
for
flowise
(npm)
May 14, 2026
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes
High
GHSA-cwj3-vqpp-pmxr
was published
for
openclaw
(npm)
May 5, 2026
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners
Moderate
GHSA-c28g-vh7m-fm7v
was published
for
openclaw
(npm)
Apr 29, 2026
n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
High
CVE-2026-42226
was published
for
n8n
(npm)
Apr 29, 2026
n8n Vulnerable to Hijacking of Unauthenticated Chat Execution
Moderate
CVE-2026-42228
was published
for
n8n
(npm)
Apr 29, 2026
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy
Moderate
GHSA-qrp5-gfw2-gxv4
was published
for
openclaw
(npm)
Apr 25, 2026
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
High
CVE-2026-33318
was published
for
@actual-app/sync-server
(npm)
Apr 23, 2026
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools
High
CVE-2026-42433
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
Moderate
CVE-2026-43580
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
Moderate
CVE-2026-43573
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
Moderate
CVE-2026-42439
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
High
CVE-2026-43571
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Empty approver lists could grant explicit approval authorization
Moderate
CVE-2026-43574
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks
Low
CVE-2026-43572
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay
Low
CVE-2026-43583
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
Moderate
CVE-2026-42436
was published
for
openclaw
(npm)
Apr 17, 2026
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys
Critical
GHSA-47wq-cj9q-wpmp
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Flowise: Sensitive Data Leak in public-chatbotConfig
High
CVE-2026-41266
was published
for
flowise
(npm)
Apr 16, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Critical
CVE-2026-41679
was published
for
@paperclipai/server
(npm)
Apr 10, 2026
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections
Critical
CVE-2026-39397
was published
for
@delmaredigital/payload-puck
(npm)
Apr 8, 2026
ProTip!
Advisories are also available from the
GraphQL API