Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,124
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,434
Pub
12
RubyGems
988
Rust
1,172
Swift
50
Unreviewed advisories
All unreviewed
5,000+

5,032 advisories

Loading
OneUptime has WhatsApp Resend Verification Authorization Bypass Moderate
CVE-2026-30959 was published for @oneuptime/common (npm) Mar 10, 2026
Aryma-f4 Credited to Aryma-f4
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30957 was published for @oneuptime/common (npm) Mar 10, 2026
maru1009 Credited to maru1009
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover Critical
CVE-2026-30956 was published for @oneuptime/common (npm) Mar 10, 2026
Zwique Credited to Zwique
liquidjs has a path traversal fallback vulnerability High
CVE-2026-30952 was published for liquidjs (npm) Mar 10, 2026
MorielHarush Credited to MorielHarush and ByamB4 ByamB4 ByamB4
Actual Sync Server has an Authenticated Path Traversal Moderate
CVE-2026-3089 was published for @actual-app/sync-server (npm) Mar 10, 2026
js-patarroyo Credited to js-patarroyo
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution High
CVE-2026-30939 was published for parse-server (npm) Mar 10, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement Moderate
CVE-2026-30938 was published for parse-server (npm) Mar 10, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery High
CVE-2026-30925 was published for parse-server (npm) Mar 10, 2026
TinkAnet Credited to TinkAnet and mtrezza mtrezza mtrezza
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions Moderate
GHSA-9q36-67vc-rrwg was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run allow-always persistence included shell-commented payload tails Moderate
GHSA-9q2p-vc84-2rwm was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: `operator.write` chat.send could reach admin-only config writes Moderate
GHSA-hfpr-jhpq-x4rm was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating Moderate
GHSA-r6qf-8968-wj9q was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects High
GHSA-6mgf-v5j7-45cr was published for openclaw (npm) Mar 9, 2026
Rickidevs Credited to Rickidevs
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping Moderate
GHSA-pjvx-rx66-r3fg was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers Moderate
GHSA-3h2q-j2v4-6w5r was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots Moderate
GHSA-j425-whc4-4jgc was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey, SnailSploit, and zpbrent SnailSploit SnailSploit
zpbrent zpbrent
OpenClaw's hooks count non-POST requests toward auth lockout Moderate
GHSA-6rmx-gvvg-vh6j was published for openclaw (npm) Mar 9, 2026
JNX03 Credited to JNX03
OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage High
GHSA-rchv-x836-w7xp was published for openclaw (npm) Mar 9, 2026
whiter6666 Credited to whiter6666
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters Critical
CVE-2026-30863 was published for parse-server (npm) Mar 9, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled Moderate
CVE-2026-30854 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization Moderate
CVE-2026-30850 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory Moderate
CVE-2026-30848 was published for parse-server (npm) Mar 9, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
@budibase/server: Command Injection in PostgreSQL Dump Command Critical
CVE-2026-25041 was published for @budibase/server (npm) Mar 9, 2026
omkarparth Credited to omkarparth
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database