Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,049
Maven
5,000+
npm
4,787
NuGet
825
pip
4,384
Pub
12
RubyGems
988
Rust
1,144
Swift
50
Unreviewed advisories
All unreviewed
5,000+

4,788 advisories

Loading
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() High
GHSA-5c6j-r48x-rmvq was published for serialize-javascript (npm) Feb 28, 2026
uug4na Credited to uug4na
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware High
CVE-2026-2880 was published for @fastify/middie (npm) Feb 28, 2026
tachote Credited to tachote, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only) Low
GHSA-fpg4-jhqr-589c was published for @sveltejs/kit (npm) Feb 28, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and jviide jviide jviide
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-7jx5-9fjg-hp4m was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
GHSA-82g8-464f-2mv7 was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode Moderate
CVE-2026-27638 was published for @actual-app/sync-server (npm) Feb 27, 2026
q1uf3ng Credited to q1uf3ng
Angular i18n vulnerable to Cross-Site Scripting High
CVE-2026-27970 was published for @angular/core (npm) Feb 27, 2026
AndrewKushnir Credited to AndrewKushnir, josephperrott, alan-agius4, and dgp1130 josephperrott josephperrott
alan-agius4 alan-agius4 dgp1130 dgp1130
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode Critical
CVE-2026-28363 was published for openclaw (npm) Feb 27, 2026
n8n has Webhook Forgery on Zendesk Trigger Node Moderate
GHSA-38c7-23hj-2wgq was published for n8n (npm) Feb 26, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
n8n has a Guardrail Node Bypass Moderate
GHSA-fvfv-ppw4-7h2w was published for n8n (npm) Feb 26, 2026
akirilov Credited to akirilov
n8n has an Authentication Bypass in its Chat Trigger Node Moderate
GHSA-jh8h-6c9q-7gmw was published for n8n (npm) Feb 26, 2026
sm1ee Credited to sm1ee
n8n has an SSO Enforcement Bypass in its Self-Service Settings API Moderate
GHSA-vjf3-2gpj-233v was published for n8n (npm) Feb 26, 2026
stanislavfortaisle Credited to stanislavfortaisle
Koa has Host Header Injection via ctx.hostname High
CVE-2026-27959 was published for koa (npm) Feb 26, 2026
p80n-sec Credited to p80n-sec
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder Low
CVE-2026-27942 was published for fast-xml-parser (npm) Feb 26, 2026
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers Moderate
CVE-2026-27902 was published for svelte (npm) Feb 26, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and maksyche KarimPwnz KarimPwnz
maksyche maksyche
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` Moderate
CVE-2026-27901 was published for svelte (npm) Feb 26, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and KarimPwnz KarimPwnz KarimPwnz
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments High
CVE-2026-27903 was published for minimatch (npm) Feb 26, 2026
dolevmiz1 Credited to dolevmiz1
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions High
CVE-2026-27904 was published for minimatch (npm) Feb 26, 2026
dolevmiz1 Credited to dolevmiz1
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform() Moderate
CVE-2026-27837 was published for dottie (npm) Feb 26, 2026
76embiid21 Credited to 76embiid21
n8n: Webhook Forgery on Github Webhook Trigger Moderate
GHSA-mqpr-49jj-32rc was published for n8n (npm) Feb 26, 2026
simonkoeck Credited to simonkoeck
n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes Moderate
GHSA-f3f2-mcxc-pwjx was published for n8n (npm) Feb 26, 2026
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist High
CVE-2026-27818 was published for terriajs-server (npm) Feb 26, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking High
CVE-2026-27148 was published for storybook (npm) Feb 26, 2026
Aikido-Security Credited to Aikido-Security, reindaelman, grumpinout1, and JorianWoltjer reindaelman reindaelman
grumpinout1 grumpinout1 JorianWoltjer JorianWoltjer
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader Moderate
CVE-2026-27795 was published for @langchain/community (npm) Feb 25, 2026
r3dbrothers Credited to r3dbrothers and hntrl hntrl hntrl
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database