Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,343
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,550
Pub
12
RubyGems
1,013
Rust
1,203
Swift
51
Unreviewed advisories
All unreviewed
5,000+

2,102 advisories

Loading
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction High
CVE-2026-4601 was published for jsrsasign (npm) Mar 23, 2026
jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs High
CVE-2026-4598 was published for jsrsasign (npm) Mar 23, 2026
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` High
GHSA-h4jx-hjr3-fhgc was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) High
GHSA-rhfg-j8jq-7v2h was published for openclaw (npm) Mar 29, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility High
GHSA-q2qc-744p-66r2 was published for openclaw (npm) Mar 29, 2026
nexrin Credited to nexrin
MikroORM has Prototype Pollution in Utils.merge High
CVE-2026-34221 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies High
CVE-2026-34226 was published for happy-dom (npm) Mar 29, 2026
r74tech Credited to r74tech
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality High
CVE-2026-34209 was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers High
GHSA-qm2m-28pf-hgjw was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding High
GHSA-9p93-7j67-5pc2 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
path-to-regexp vulnerable to Denial of Service via sequential optional groups High
CVE-2026-4926 was published for path-to-regexp (npm) Mar 27, 2026
uug4na Credited to uug4na, blakeembrey, and UlisesGascon blakeembrey blakeembrey
UlisesGascon UlisesGascon
n8n has In-Process Memory Disclosure in its Task Runner High
CVE-2026-27496 was published for n8n (npm) Mar 25, 2026
c0rydoras Credited to c0rydoras
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia High
CVE-2026-32030 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify High
CVE-2026-33331 was published for @orpc/openapi (npm) Mar 20, 2026
abhayclasher Credited to abhayclasher
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter High
CVE-2026-33539 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers High
CVE-2026-33538 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block High
CVE-2026-33938 was published for handlebars (npm) Mar 27, 2026
evanj2357 Credited to evanj2357
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) High
CVE-2026-33896 was published for node-forge (npm) Mar 26, 2026
peaktwilight Credited to peaktwilight
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input High
CVE-2026-33891 was published for node-forge (npm) Mar 26, 2026
Kr0emer Credited to Kr0emer
Picomatch has a ReDoS vulnerability via extglob quantifiers High
CVE-2026-33671 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4, danez, and doowb danez danez
doowb doowb
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. High
CVE-2026-33442 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database