Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

18 advisories

Loading
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Moderate
GHSA-mhgq-xpfq-6r66 was published for openclaw (npm) Apr 2, 2026
davidluzsilva Credited to davidluzsilva
OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement Moderate
GHSA-jp4j-q5fc-58gv was published for openclaw (npm) Mar 31, 2026
nexrin Credited to nexrin
OpenClaw: Zalo channel downloads media before sender authorization Moderate
CVE-2026-33576 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Mutating internal `/allowlist` chat commands missed `operator.admin` scope enforcement Moderate
GHSA-vqvg-86cc-cg83 was published for openclaw (npm) Mar 30, 2026
tdjackey Credited to tdjackey
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path` Moderate
CVE-2026-33768 was published for @astrojs/vercel (npm) Mar 26, 2026
jp-soba Credited to jp-soba
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions Moderate
GHSA-8jhh-jcqg-mj5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page Moderate
CVE-2026-32230 was published for uptime-kuma (npm) Mar 12, 2026
kuranikaran Credited to kuranikaran
OneUptime has WhatsApp Resend Verification Authorization Bypass Moderate
CVE-2026-30959 was published for @oneuptime/common (npm) Mar 10, 2026
Aryma-f4 Credited to Aryma-f4
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization Moderate
CVE-2026-30850 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption Moderate
GHSA-j26j-7qc4-3mrf was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode Moderate
CVE-2026-27638 was published for @actual-app/sync-server (npm) Feb 27, 2026
q1uf3ng Credited to q1uf3ng
StudioCMS has Authorization Bypass Through User-Controlled Key Moderate
CVE-2026-24134 was published for studiocms (npm) Jan 27, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another Moderate
CVE-2025-59160 was published for matrix-js-sdk (npm) Sep 16, 2025
cai0duque Credited to cai0duque
n8n is vulnerable to Improper Authorization through its `/stop` endpoint Moderate
CVE-2025-52554 was published for n8n (npm) Jul 3, 2025
pfelilpe Credited to pfelilpe, MarcL, LucianoSorrentino95, agustedone, and ffaggiani MarcL MarcL
LucianoSorrentino95 LucianoSorrentino95 agustedone agustedone ffaggiani ffaggiani
When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible Moderate
CVE-2023-40027 was published for @keystone-6/core (npm) Aug 15, 2023
dcousens Credited to dcousens
OpenZeppelin Contracts's governor proposal creation may be blocked by frontrunning Moderate
CVE-2023-34234 was published for @openzeppelin/contracts (npm) Jun 8, 2023
MarkLee131 Credited to MarkLee131
matrix-js-sdk vulnerable to invisible eavesdropping in group calls Moderate
CVE-2023-29529 was published for matrix-js-sdk (npm) Apr 14, 2023
Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API Moderate
CVE-2021-39184 was published for electron (npm) Oct 12, 2021
nornagon Credited to nornagon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database