Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,710 advisories

Loading
Parse Server affected by empty authData bypassing credential requirement on signup Moderate
CVE-2026-33042 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server LiveQuery subscription with invalid regular expression crashes server Moderate
CVE-2026-32770 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server session creation endpoint allows overwriting server-generated session fields Moderate
CVE-2026-32742 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Elysia Cookie Value Prototype Pollution Moderate
CVE-2026-31865 was published for elysia (npm) Mar 17, 2026
Next.js: HTTP request smuggling in rewrites Moderate
CVE-2026-29057 was published for next (npm) Mar 17, 2026
Next.js: Unbounded next/image disk cache growth can exhaust storage Moderate
CVE-2026-27980 was published for next (npm) Mar 17, 2026
Next.js: Unbounded postponed resume buffering can lead to DoS Moderate
CVE-2026-27979 was published for next (npm) Mar 17, 2026
Next.js: null origin can bypass Server Actions CSRF checks Moderate
CVE-2026-27978 was published for next (npm) Mar 17, 2026
OpenClaw session transcript files were created without forced user-only permissions Moderate
GHSA-vr7j-g7jv-h5mp was published for openclaw (npm) Mar 16, 2026
hsongkai11 Credited to hsongkai11
OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs Moderate
GHSA-xwcj-hwhf-h378 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers Moderate
CVE-2026-32723 was published for @nyariv/sandboxjs (npm) Mar 16, 2026
Zwique Credited to Zwique, Lumb3, Ved235, BlguunBN, Och1r1, and b34rn00b Lumb3 Lumb3
Ved235 Ved235 BlguunBN BlguunBN Och1r1 Och1r1 b34rn00b b34rn00b
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry Moderate
CVE-2026-32630 was published for file-type (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation Moderate
GHSA-5m9r-p9g7-679c was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths Moderate
GHSA-f8r2-vg7x-gh8m was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu reaction events could bypass group authorization and mention gating Moderate
GHSA-m69h-jm2f-2pv8 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Pairing setup codes exposed long-lived shared gateway credentials instead of short-lived bootstrap tokens Moderate
GHSA-7h7g-x2px-94hj was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua and woreksami woreksami woreksami
OpenClaw's Zalouser allowlist authorization matched mutable group names by default Moderate
GHSA-f5mf-3r52-r83w was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
Undici has CRLF Injection in undici via `upgrade` option Moderate
CVE-2026-1527 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS Moderate
CVE-2026-2581 was published for undici (npm) Mar 13, 2026
jackhax Credited to jackhax, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
Undici has an HTTP Request/Response Smuggling issue Moderate
CVE-2026-1525 was published for undici (npm) Mar 13, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
OneUptime: Password Reset Token Logged at INFO Level Moderate
CVE-2026-32598 was published for oneuptime (npm) Mar 13, 2026
n0rv-TvT Credited to n0rv-TvT
Parse Server's GraphQL WebSocket endpoint bypasses security middleware Moderate
CVE-2026-32594 was published for parse-server (npm) Mar 13, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint Moderate
CVE-2026-32269 was published for parse-server (npm) Mar 13, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database