GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,147 advisories
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
Locutus vulnerable to RCE via unsanitized input in create_function()
Critical
CVE-2026-32304
was published
for
locutus
(npm)
Mar 13, 2026
SandboxJS affected by a Sandbox Escape
Critical
CVE-2026-26954
was published
for
@nyariv/sandboxjs
(npm)
Mar 13, 2026
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Critical
GHSA-rqpp-rjj8-7wv8
was published
for
openclaw
(npm)
Mar 13, 2026
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Critical
CVE-2026-32621
was published
for
@apollo/federation-internals
(npm)
Mar 13, 2026
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
Critical
GHSA-4jpw-hj22-2xmc
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Critical
GHSA-xw77-45gv-p728
was published
for
openclaw
(npm)
Mar 13, 2026
Parse Server: Account takeover via operator injection in authentication data identifier
Critical
CVE-2026-32248
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Critical
CVE-2026-32242
was published
for
parse-server
(npm)
Mar 12, 2026
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Critical
CVE-2026-28792
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
Critical
CVE-2026-31862
was published
for
@siteboon/claudecodeui
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
n8n Vulnerable to Remote Code Execution via Expression Injection
Critical
CVE-2025-68613
was published
for
n8n
(npm)
Dec 22, 2025
Parse Server has role escalation and CLP bypass via direct `_Join` table write
Critical
CVE-2026-30966
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Critical
CVE-2026-30965
was published
for
parse-server
(npm)
Mar 11, 2026
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Critical
CVE-2026-29793
was published
for
@feathersjs/mongodb
(npm)
Mar 10, 2026
Feathers has an OAuth Callback Account Takeover issue
Critical
CVE-2026-29792
was published
for
@feathersjs/authentication-oauth
(npm)
Mar 10, 2026
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
Critical
CVE-2026-28446
was published
for
openclaw
(npm)
Feb 17, 2026
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30957
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Critical
CVE-2026-30956
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30921
was published
for
@oneuptime/common
(npm)
Mar 7, 2026
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Critical
CVE-2026-30887
was published
for
@oneuptime/common
(npm)
Mar 7, 2026
ProTip!
Advisories are also available from the
GraphQL API