Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,322 advisories

Loading
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening High
GHSA-j7h9-2jh7-g967 was published for mcp-ssh-tool (npm) May 7, 2026
Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker High
CVE-2026-42553 was published for cinny (npm) May 7, 2026
Quasar0147 Credited to Quasar0147
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) High
CVE-2026-44001 was published for vm2 (npm) May 7, 2026
koDove Credited to koDove
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect High
CVE-2026-44503 was published for Microsoft.Kiota.Abstractions (Go) May 7, 2026
MIchaelMainer Credited to MIchaelMainer
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering High
CVE-2026-44240 was published for basic-ftp (npm) May 6, 2026
thesmartshadow Credited to thesmartshadow
dssrf: every IPv6 category bypasses is_url_safe High
CVE-2026-44232 was published for dssrf (npm) May 6, 2026
b-hermes Credited to b-hermes and HackingRepo HackingRepo HackingRepo
Auth.js SDK has Improper Permission Checking High
CVE-2026-42280 was published for auth0-js (npm) May 6, 2026
Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection High
CVE-2026-42334 was published for mongoose (npm) May 5, 2026
katzj Credited to katzj
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts High
GHSA-jxh8-jh77-xh6g was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE) High
GHSA-cfcj-hqpf-hccf was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` High
CVE-2026-42260 was published for open-websearch (npm) May 5, 2026
shmulc8 Credited to shmulc8
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs High
CVE-2026-43929 was published for ssrfcheck (npm) May 5, 2026
hits313 Credited to hits313
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid High
CVE-2025-8267 was published for ssrfcheck (npm) May 5, 2026
lirantal Credited to lirantal
link-preview-js vulnerable to IPv6 and internal loopback attacks High
CVE-2026-43897 was published for link-preview-js (npm) May 5, 2026
Andrew-most-likely Credited to Andrew-most-likely and ospfranco ospfranco ospfranco
exiftool-vendored vulnerable to argument injection via newline characters in tag names High
CVE-2026-43893 was published for exiftool-vendored (npm) May 5, 2026
Dobby153 Credited to Dobby153
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes High
GHSA-cwj3-vqpp-pmxr was published for openclaw (npm) May 5, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution High
GHSA-r39h-4c2p-3jxp was published for openclaw (npm) May 5, 2026
Mirr2 Credited to Mirr2
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin High
GHSA-g485-8j3v-p6x8 was published for @tdurieux/anonymous_github (npm) May 5, 2026
jackfromeast Credited to jackfromeast and P3ngu1nW P3ngu1nW P3ngu1nW
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods High
CVE-2026-42047 was published for inngest (npm) May 5, 2026
benhylak Credited to benhylak
Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls High
CVE-2026-42856 was published for network-ai (npm) May 5, 2026
232-323 Credited to 232-323 and 2REBCat 2REBCat 2REBCat
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking High
CVE-2026-42033 was published for axios (npm) May 5, 2026
dolevmiz1 Credited to dolevmiz1
Axios: Header Injection via Prototype Pollution High
CVE-2026-42035 was published for axios (npm) May 5, 2026
raulvdv Credited to raulvdv
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 High
CVE-2026-42043 was published for axios (npm) May 5, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking High
CVE-2026-42264 was published for axios (npm) May 5, 2026
bulmax9797-sketch Credited to bulmax9797-sketch
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root High
GHSA-wppj-c6mr-83jj was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database