GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,044
Maven
5,000+
npm
4,782
NuGet
825
pip
4,382
Pub
12
RubyGems
987
Rust
1,143
Swift
50
Unreviewed advisories
All unreviewed
5,000+
4,783 advisories
Filter by severity
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
Moderate
GHSA-82g8-464f-2mv7
was published
for
openclaw
(npm)
Feb 27, 2026
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Moderate
CVE-2026-27638
was published
for
@actual-app/sync-server
(npm)
Feb 27, 2026
Angular i18n vulnerable to Cross-Site Scripting
High
CVE-2026-27970
was published
for
@angular/core
(npm)
Feb 27, 2026
n8n has Webhook Forgery on Zendesk Trigger Node
Moderate
GHSA-38c7-23hj-2wgq
was published
for
n8n
(npm)
Feb 26, 2026
n8n has a Guardrail Node Bypass
Moderate
GHSA-fvfv-ppw4-7h2w
was published
for
n8n
(npm)
Feb 26, 2026
n8n has an Authentication Bypass in its Chat Trigger Node
Moderate
GHSA-jh8h-6c9q-7gmw
was published
for
n8n
(npm)
Feb 26, 2026
n8n has an SSO Enforcement Bypass in its Self-Service Settings API
Moderate
GHSA-vjf3-2gpj-233v
was published
for
n8n
(npm)
Feb 26, 2026
Koa has Host Header Injection via ctx.hostname
High
CVE-2026-27959
was published
for
koa
(npm)
Feb 26, 2026
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
Low
CVE-2026-27942
was published
for
fast-xml-parser
(npm)
Feb 26, 2026
Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers
Moderate
CVE-2026-27902
was published
for
svelte
(npm)
Feb 26, 2026
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
Moderate
CVE-2026-27901
was published
for
svelte
(npm)
Feb 26, 2026
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
High
CVE-2026-27903
was published
for
minimatch
(npm)
Feb 26, 2026
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
High
CVE-2026-27904
was published
for
minimatch
(npm)
Feb 26, 2026
dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
Moderate
CVE-2026-27837
was published
for
dottie
(npm)
Feb 26, 2026
n8n: Webhook Forgery on Github Webhook Trigger
Moderate
GHSA-mqpr-49jj-32rc
was published
for
n8n
(npm)
Feb 26, 2026
n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes
Moderate
GHSA-f3f2-mcxc-pwjx
was published
for
n8n
(npm)
Feb 26, 2026
TerriaJS-Server has a domain validation bypass vulnerability in its proxy allowlist
High
CVE-2026-27818
was published
for
terriajs-server
(npm)
Feb 26, 2026
Storybook Dev Server is Vulnerable to WebSocket Hijacking
High
CVE-2026-27148
was published
for
storybook
(npm)
Feb 26, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Critical
CVE-2026-27804
was published
for
parse-server
(npm)
Feb 25, 2026
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Moderate
CVE-2026-27795
was published
for
@langchain/community
(npm)
Feb 25, 2026
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
Critical
CVE-2026-27739
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Angular SSR has an Open Redirect via X-Forwarded-Prefix
Moderate
CVE-2026-27738
was published
for
@angular/ssr
(npm)
Feb 25, 2026
Rollup 4 has Arbitrary File Write via Path Traversal
High
CVE-2026-27606
was published
for
rollup
(npm)
Feb 25, 2026
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
Critical
CVE-2026-27699
was published
for
basic-ftp
(npm)
Feb 25, 2026
Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
Moderate
CVE-2026-27729
was published
for
@astrojs/node
(npm)
Feb 25, 2026
ProTip!
Advisories are also available from the
GraphQL API