Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,026
Maven
5,000+
npm
4,763
NuGet
824
pip
4,366
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,853 advisories

Loading
yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent High
CVE-2025-70058 was published for yapi-vendor (npm) Feb 23, 2026
Rollup 4 has Arbitrary File Write via Path Traversal High
CVE-2026-27606 was published for rollup (npm) Feb 25, 2026
viralvaghela
Credited to viralvaghela
n8n Vulnerable to Stored XSS via Various Nodes High
CVE-2026-27578 was published for n8n (npm) Feb 25, 2026
ori-ron Aikido-Security
nil340
Credited to ori-ron, Aikido-Security, and nil340
n8n has Arbitrary File Read via Python Code Node Sandbox Escape High
CVE-2026-27494 was published for n8n (npm) Feb 25, 2026
MarcoPoloPie Nico-Posada
Credited to MarcoPoloPie and Nico-Posada
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions High
CVE-2026-27610 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza
Credited to mtrezza
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint High
CVE-2026-27609 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza
Credited to mtrezza
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x
Credited to EdamAme-x
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern High
CVE-2026-26996 was published for minimatch (npm) Feb 18, 2026
AkshayJainG ljharb
G-Rath thomas-schlein isaacs SamanthaPersico
Credited to AkshayJainG, ljharb, G-Rath, thomas-schlein, isaacs, and SamanthaPersico
next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content High
CVE-2026-0969 was published for next-mdx-remote (npm) Feb 12, 2026
dduzgun-security
Credited to dduzgun-security
OpenClaw: Prevent shell injection in macOS keychain credential write High
CVE-2026-27487 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
Feathers exposes internal headers via unencrypted session cookie High
CVE-2026-27193 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid b0-n0-b0
Credited to vvxhid and b0-n0-b0
Feathers has an origin validation bypass via prefix matching High
CVE-2026-27192 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid b0-n0-b0
Credited to vvxhid and b0-n0-b0
Feathers has an open redirect in OAuth callback enables account takeover High
CVE-2026-27191 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid b0-n0-b0
Credited to vvxhid and b0-n0-b0
eBay API MCP Server Affected by Environment Variable Injection High
CVE-2026-27203 was published for ebay-mcp (npm) Feb 19, 2026
nedlir
Credited to nedlir
Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde High
CVE-2026-26974 was published for @tygo-van-den-hurk/slyde (npm) Feb 18, 2026
Tygo-van-den-Hurk
Credited to Tygo-van-den-Hurk
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction High
CVE-2026-26960 was published for tar (npm) Feb 18, 2026
scumfrog
Credited to scumfrog
OpenClaw: Docker container escape via unvalidated bind mount config injection High
CVE-2026-27002 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw: Unsanitized CWD path injection into LLM prompts High
CVE-2026-27001 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints High
CVE-2026-26317 was published for clawdbot (npm) Feb 18, 2026
vincentkoc
Credited to vincentkoc
OpenClaw has a command injection in maintainer clawtributors updater High
CVE-2026-26323 was published for openclaw (npm) Feb 18, 2026
scanleale MegaManSec
Credited to scanleale and MegaManSec
OpenClaw has a path traversal in browser upload allows local file read High
CVE-2026-26329 was published for openclaw (npm) Feb 18, 2026
p80n-sec
Credited to p80n-sec
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals High
CVE-2026-26325 was published for openclaw (npm) Feb 17, 2026
christos-eth
Credited to christos-eth
OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) High
CVE-2026-26324 was published for openclaw (npm) Feb 17, 2026
yueyueL
Credited to yueyueL
OpenClaw Gateway tool allowed unrestricted gatewayUrl override High
CVE-2026-26322 was published for openclaw (npm) Feb 17, 2026
p80n-sec
Credited to p80n-sec
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database