Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

2,007 advisories

Loading
Angular vulnerable to XSS in i18n attribute bindings High
CVE-2026-32635 was published for @angular/compiler (npm) Mar 13, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, securityMB, josephperrott, crisbeto, and hdtmccallie AndrewKushnir AndrewKushnir
securityMB securityMB josephperrott josephperrott crisbeto crisbeto hdtmccallie hdtmccallie
OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux) High
CVE-2026-32063 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API High
CVE-2026-30946 was published for parse-server (npm) Mar 11, 2026
mtrezza Credited to mtrezza
OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection High
GHSA-g2f6-pwvx-r275 was published for openclaw (npm) Mar 16, 2026
lintsinghua Credited to lintsinghua
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
GHSA-jq3f-vjww-8rq7 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval High
GHSA-63f5-hhc7-cx6p was published for openclaw (npm) Mar 16, 2026
tdjackey Credited to tdjackey
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries High
CVE-2026-32728 was published for parse-server (npm) Mar 16, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script High
CVE-2026-4092 was published for @google/clasp (npm) Mar 13, 2026
g0w6y Credited to g0w6y
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode High
CVE-2026-32302 was published for openclaw (npm) Mar 12, 2026
yianworks Credited to yianworks
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") High
CVE-2026-32308 was published for oneuptime (npm) Mar 13, 2026
restriction Credited to restriction
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
Uncontrolled memory allocation via crafted SVG dimensions in @dicebear/converter High
CVE-2026-29112 was published for @dicebear/converter (npm) Mar 16, 2026
maru1009 Credited to maru1009
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS High
CVE-2026-23950 was published for tar (npm) Jan 21, 2026
tomasilluminati Credited to tomasilluminati, ssushant0011, and urielcos ssushant0011 ssushant0011
urielcos urielcos
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only) High
CVE-2024-27303 was published for app-builder-lib (npm) Mar 4, 2024
bruno-1337 Credited to bruno-1337
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
GHSA-g353-mgv3-8pcj was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Gateway `agent` calls could override the workspace boundary High
GHSA-2rqg-gjgv-84jm was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state High
GHSA-wcxr-59v9-rxr8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories High
GHSA-99qw-6mr3-36qr was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces High
GHSA-r7vr-gr74-94p8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes High
GHSA-vmhq-cqm9-6p7q was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression High
CVE-2026-1526 was published for undici (npm) Mar 13, 2026
HO-9 Credited to HO-9, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation High
CVE-2026-2229 was published for undici (npm) Mar 13, 2026
aisle-research Credited to aisle-research, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client High
CVE-2026-1528 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution High
CVE-2026-29783 was published for @github/copilot (npm) Mar 6, 2026
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database