Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,153
Maven
5,000+
npm
5,000+
NuGet
861
pip
4,451
Pub
12
RubyGems
991
Rust
1,179
Swift
50
Unreviewed advisories
All unreviewed
5,000+

5,106 advisories

Loading
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode High
CVE-2026-32302 was published for openclaw (npm) Mar 12, 2026
yianworks Credited to yianworks
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction Moderate
CVE-2026-29066 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
TinaCMS Vulnerable to Path Traversal Leading to Arbitrary File Read, Write and Delete High
CVE-2026-28793 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS Critical
CVE-2026-28792 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network High
CVE-2026-26118 was published for @azure/mcp (npm) Mar 10, 2026
alzimmermsft Credited to alzimmermsft and vcolin7 vcolin7 vcolin7
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, and mattiasljungstrom KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom
Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity Low
CVE-2026-31873 was published for unhead (npm) Mar 12, 2026
simonkoeck Credited to simonkoeck
Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check Moderate
CVE-2026-31860 was published for unhead (npm) Mar 12, 2026
simonkoeck Credited to simonkoeck
@tinacms/graphql has a Path Traversal issue Moderate
CVE-2026-24125 was published for @tinacms/graphql (npm) Mar 12, 2026
Hyperterse: Raw exposure of database statements in MCP search tool Moderate
CVE-2026-31841 was published for hyperterse (npm) Mar 12, 2026
Tina: Path Traversal in Media Upload Handle High
CVE-2026-28791 was published for tinacms (npm) Mar 12, 2026
yueyueL Credited to yueyueL
Keycloak vulnerable to authorization bypass via the Admin API Low
CVE-2026-2366 was published for @keycloak/keycloak-admin-client (Maven) Mar 12, 2026
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure Low
CVE-2026-3965 was published for @whyour/qinglong (npm) Mar 12, 2026
OpenClaw safeBins file-existence oracle information disclosure Moderate
CVE-2026-4040 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
CVE-2026-4039 was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
Duplicate Advisory: OpenClaw safeBins file-existence oracle information disclosure Moderate
GHSA-xjj9-2w6f-jg55 was published for openclaw (npm) Mar 12, 2026 withdrawn
Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth) Moderate
GHSA-wgx8-r9vw-2w4h was published for openclaw (npm) Mar 12, 2026 withdrawn
Parse Server: Account takeover via operator injection in authentication data identifier Critical
CVE-2026-32248 was published for parse-server (npm) Mar 12, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance Critical
CVE-2026-32242 was published for parse-server (npm) Mar 12, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Trix has a Stored XSS vulnerability through serialized attributes Moderate
GHSA-qmpg-8xg6-ph5q was published for action_text-trix (RubyGems) Mar 12, 2026
Parse Server has a SQL injection via query field name when using PostgreSQL Moderate
CVE-2026-32234 was published for parse-server (npm) Mar 12, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint Moderate
CVE-2026-32237 was published for @backstage/plugin-scaffolder-backend (npm) Mar 12, 2026
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch Low
CVE-2026-32236 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass Moderate
CVE-2026-32235 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts Moderate
CVE-2026-32106 was published for studiocms (npm) Mar 12, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database