Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

2,093 advisories

Loading
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers High
GHSA-qm2m-28pf-hgjw was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding High
GHSA-9p93-7j67-5pc2 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
path-to-regexp vulnerable to Denial of Service via sequential optional groups High
CVE-2026-4926 was published for path-to-regexp (npm) Mar 27, 2026
uug4na Credited to uug4na, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
n8n has In-Process Memory Disclosure in its Task Runner High
CVE-2026-27496 was published for n8n (npm) Mar 25, 2026
c0rydoras Credited to c0rydoras
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia High
CVE-2026-32030 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify High
CVE-2026-33331 was published for @orpc/openapi (npm) Mar 20, 2026
abhayclasher Credited to abhayclasher
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter High
CVE-2026-33539 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers High
CVE-2026-33538 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block High
CVE-2026-33938 was published for handlebars (npm) Mar 27, 2026
evanj2357 Credited to evanj2357
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) High
CVE-2026-33896 was published for node-forge (npm) Mar 26, 2026
peaktwilight Credited to peaktwilight
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla and dderpym dderpym dderpym
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input High
CVE-2026-33891 was published for node-forge (npm) Mar 26, 2026
Kr0emer Credited to Kr0emer
Picomatch has a ReDoS vulnerability via extglob quantifiers High
CVE-2026-33671 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. High
CVE-2026-33442 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings High
CVE-2026-33468 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns High
GHSA-wr92-6w3g-2hwc was published for openclaw (npm) Mar 21, 2026 withdrawn
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters High
CVE-2026-4867 was published for path-to-regexp (npm) Mar 27, 2026
EthanKim88 Credited to EthanKim88, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host High
CVE-2026-34076 was published for @clerk/backend (npm) Mar 27, 2026
@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools High
CVE-2026-33989 was published for @mobilenext/mobile-mcp (npm) Mar 27, 2026
AbhiTheModder Credited to AbhiTheModder
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options High
CVE-2026-33941 was published for handlebars (npm) Mar 27, 2026
Gyde04 Credited to Gyde04
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial High
CVE-2026-33940 was published for handlebars (npm) Mar 27, 2026
evanj2357 Credited to evanj2357
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation High
CVE-2026-33939 was published for handlebars (npm) Mar 27, 2026
trace37labs Credited to trace37labs
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk) High
CVE-2026-33979 was published for express-xss-sanitizer (npm) Mar 27, 2026
Lissy93 Credited to Lissy93
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database