Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

14 advisories

Loading
Total.js CMS Unauthorized Access High
CVE-2019-15953 was published for total4 (npm) May 24, 2022
Double spend in snarkjs High
CVE-2023-33252 was published for snarkjs (npm) May 22, 2023
HAX CMS API Lacks Authorization Checks High
CVE-2025-54378 was published for @haxtheweb/haxcms-nodejs (Composer) Jul 25, 2025
lfgberg Credited to lfgberg
Flowise has unsandboxed remote code execution via Custom MCP High
GHSA-6933-jpx5-q87q was published for flowise (npm) Sep 15, 2025
assaf-levkovich-jf Credited to assaf-levkovich-jf
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions High
CVE-2025-59828 was published for @anthropic-ai/claude-code (npm) Sep 24, 2025
cai0duque Credited to cai0duque
misskey.js's export data contains private post data High
CVE-2025-66402 was published for misskey-js (npm) Dec 15, 2025
na2204 Credited to na2204 and samunohito samunohito samunohito
OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools High
GHSA-jr6x-2q95-fh2g was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's andbox browser noVNC observer lacked VNC authentication High
CVE-2026-32064 was published for openclaw (npm) Mar 3, 2026
TerminalsandCoffee Credited to TerminalsandCoffee
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration High
CVE-2026-30823 was published for flowise (npm) Mar 6, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes High
CVE-2026-31800 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers High
GHSA-wq58-2pvg-5h4f was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw's mutating internal ACP chat commands missed operator.admin scope enforcement High
GHSA-3w6x-gv34-mqpf was published for openclaw (npm) Mar 26, 2026
tdjackey Credited to tdjackey
OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials High
GHSA-3cw3-5vxw-g2h3 was published for openclaw (npm) Mar 31, 2026
nexrin Credited to nexrin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database