Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,016
Maven
5,000+
npm
4,737
NuGet
814
pip
4,347
Pub
12
RubyGems
987
Rust
1,140
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,515 advisories

Loading
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads Moderate
CVE-2026-27567 was published for payload (npm) Feb 24, 2026
r3dbrothers
Credited to r3dbrothers
Astro has Full-Read SSRF in error rendering via Host: header injection Moderate
CVE-2026-25545 was published for @astrojs/node (npm) Feb 23, 2026
Aikido-Security reindaelman
grumpinout1
Credited to Aikido-Security, reindaelman, and grumpinout1
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs Moderate
CVE-2026-27576 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused Moderate
CVE-2026-27492 was published for lettermint (npm) Feb 20, 2026
OpenClaw hardened cron webhook delivery against SSRF Moderate
CVE-2026-27488 was published for openclaw (npm) Feb 20, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw: Reject symlinks in local skill packaging script Moderate
CVE-2026-27485 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Sync-in Server has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-67438 was published for @sync-in/server (npm) Feb 20, 2026
bn.js affected by an infinite loop Moderate
CVE-2026-2739 was published for bn.js (npm) Feb 20, 2026
richardsimko jochenschmich-aeberle
Credited to richardsimko and jochenschmich-aeberle
OpenClaw safeBins file-existence oracle information disclosure Moderate
GHSA-6c9j-x93c-rw6j was published for openclaw (npm) Feb 19, 2026
nedlir
Credited to nedlir
Pannellum has a XSS vulnerability in hot spot attributes Moderate
CVE-2026-27210 was published for pannellum (npm) Feb 19, 2026
lumin9ry SUT0L
Visvge
Credited to lumin9ry, SUT0L, and Visvge
CPU exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-88qp-p4qg-rqm6 was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Memory exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-vrhm-gvg7-fpcf was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
OpenClaw replaced a deprecated sandbox hash algorithm Moderate
GHSA-fh3f-q9qw-93j9 was published for openclaw (npm) Feb 19, 2026
kexinoh
Credited to kexinoh
OpenClaw has a Web Fetch DoS via unbounded response parsing Moderate
GHSA-p536-vvpp-9mc8 was published for openclaw (npm) Feb 19, 2026
xuemian168 ShangzhiXu
Credited to xuemian168 and ShangzhiXu
Svelte SSR does not validate dynamic element tag names in `<svelte:element>` Moderate
CVE-2026-27122 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Svelte affected by cross-site scripting via spread attributes in Svelte SSR Moderate
CVE-2026-27121 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Svelte affected by XSS in SSR `<option>` element Moderate
CVE-2026-27119 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Cache poisoning in @sveltejs/adapter-vercel Moderate
CVE-2026-27118 was published for @sveltejs/adapter-vercel (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection Moderate
CVE-2026-27009 was published for openclaw (npm) Feb 18, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw hardened the skill download target directory validation Moderate
CVE-2026-27008 was published for openclaw (npm) Feb 18, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation Moderate
CVE-2026-27007 was published for openclaw (npm) Feb 18, 2026
kexinoh
Credited to kexinoh
OpenClaw session tool visibility hardening and Telegram webhook secret fallback Moderate
CVE-2026-27004 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw: Telegram bot token exposure via logs Moderate
CVE-2026-27003 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
RediSearch Query Injection in @langchain/langgraph-checkpoint-redis Moderate
CVE-2026-27022 was published for @langchain/langgraph-checkpoint-redis (npm) Feb 18, 2026
yardenporat353 hntrl
Credited to yardenporat353 and hntrl
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database