Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,016
Maven
5,000+
npm
4,737
NuGet
814
pip
4,347
Pub
12
RubyGems
987
Rust
1,140
Swift
50
Unreviewed advisories
All unreviewed
5,000+

4,738 advisories

Loading
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints Critical
CVE-2026-27584 was published for @actual-app/sync-server (npm) Feb 24, 2026
iamsilk
Credited to iamsilk
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads Moderate
CVE-2026-27567 was published for payload (npm) Feb 24, 2026
r3dbrothers
Credited to r3dbrothers
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE Critical
CVE-2026-27574 was published for @oneuptime/common (npm) Feb 24, 2026
ByamB4
Credited to ByamB4
Astro has Full-Read SSRF in error rendering via Host: header injection Moderate
CVE-2026-25545 was published for @astrojs/node (npm) Feb 23, 2026
Aikido-Security reindaelman
grumpinout1
Credited to Aikido-Security, reindaelman, and grumpinout1
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs Moderate
CVE-2026-27576 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused Moderate
CVE-2026-27492 was published for lettermint (npm) Feb 20, 2026
OpenClaw hardened cron webhook delivery against SSRF Moderate
CVE-2026-27488 was published for openclaw (npm) Feb 20, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw: Reject symlinks in local skill packaging script Moderate
CVE-2026-27485 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows Low
CVE-2026-27484 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Sync-in Server has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-67438 was published for @sync-in/server (npm) Feb 20, 2026
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names Critical
CVE-2026-25896 was published for fast-xml-parser (npm) Feb 20, 2026
Ochk0
Credited to Ochk0
bn.js affected by an infinite loop Moderate
CVE-2026-2739 was published for bn.js (npm) Feb 20, 2026
richardsimko jochenschmich-aeberle
Credited to richardsimko and jochenschmich-aeberle
OpenClaw safeBins file-existence oracle information disclosure Moderate
GHSA-6c9j-x93c-rw6j was published for openclaw (npm) Feb 19, 2026
nedlir
Credited to nedlir
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir
Credited to nedlir
OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace High
GHSA-r5fq-947m-xm57 was published for openclaw (npm) Feb 19, 2026
p80n-sec
Credited to p80n-sec
Pannellum has a XSS vulnerability in hot spot attributes Moderate
CVE-2026-27210 was published for pannellum (npm) Feb 19, 2026
lumin9ry SUT0L
Visvge
Credited to lumin9ry, SUT0L, and Visvge
Feathers exposes internal headers via unencrypted session cookie High
CVE-2026-27193 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid b0-n0-b0
Credited to vvxhid and b0-n0-b0
Feathers has an origin validation bypass via prefix matching High
CVE-2026-27192 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid b0-n0-b0
Credited to vvxhid and b0-n0-b0
Feathers has an open redirect in OAuth callback enables account takeover High
CVE-2026-27191 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid b0-n0-b0
Credited to vvxhid and b0-n0-b0
CPU exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-88qp-p4qg-rqm6 was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Memory exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-vrhm-gvg7-fpcf was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
devalue affected by CPU and memory amplification from sparse arrays Low
GHSA-33hq-fvwr-56pm was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github
Credited to elliott-with-the-longest-name-on-github
Prototype pollution in swiper Critical
CVE-2026-27212 was published for swiper (npm) Feb 19, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database