Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,164
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,458
Pub
12
RubyGems
991
Rust
1,184
Swift
50
Unreviewed advisories
All unreviewed
5,000+

303 advisories

Loading
OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode Low
GHSA-qvr7-g57c-mrc7 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch Low
CVE-2026-32236 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, and mattiasljungstrom KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom
Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity Low
CVE-2026-31873 was published for unhead (npm) Mar 12, 2026
simonkoeck Credited to simonkoeck
Keycloak vulnerable to authorization bypass via the Admin API Low
CVE-2026-2366 was published for @keycloak/keycloak-admin-client (Maven) Mar 12, 2026
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure Low
CVE-2026-3965 was published for @whyour/qinglong (npm) Mar 12, 2026
Shescape has possible misidentification of shell due to link chains Low
CVE-2026-30916 was published for shescape (npm) Mar 7, 2026
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass Low
CVE-2026-29184 was published for @backstage/plugin-scaffolder-backend (npm) Mar 5, 2026
Backstage vulnerable to potential reading of SCM URLs using built in token Low
CVE-2026-29185 was published for @backstage/integration (npm) Mar 5, 2026
defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag Low
CVE-2026-30830 was published for defuddle (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet
Mercurius's queryDepth limit bypassed for WebSocket subscriptions Low
CVE-2026-30241 was published for mercurius (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet and mcollina mcollina mcollina
xcode-mcp-server vulnerable to Command Injection Low
CVE-2026-2178 was published for xcode-mcp-server (npm) Feb 8, 2026
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder Low
CVE-2026-27942 was published for fast-xml-parser (npm) Feb 26, 2026
julianladisch Credited to julianladisch
Dark Reader gives users the ability to request style sheets from local web servers Low
CVE-2025-68467 was published for darkreader (npm) Mar 4, 2026
mailparser vulnerable to Cross-site Scripting Low
CVE-2026-3455 was published for mailparser (npm) Mar 3, 2026
@tootallnate/once vulnerable to Incorrect Control Flow Scoping Low
CVE-2026-3449 was published for @tootallnate/once (npm) Mar 3, 2026
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
GHSA-vjp8-wprm-2jw9 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode Low
GHSA-8mf7-vv8w-hjr2 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
GHSA-v6x2-2qvm-6gv8 was published for openclaw (npm) Mar 3, 2026
OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity Low
GHSA-gcj7-r3hg-m7w6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Microsoft Teams media fetch paths bypass shared SSRF guard model Low
GHSA-7qf6-h84j-8fq4 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's runtime /debug override path accepted prototype-reserved keys Low
GHSA-62f6-mrcj-v8h5 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Low
GHSA-vvgp-4c28-m3jm was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read Low
GHSA-5ghc-98wh-gwwf was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Low
GHSA-5f9p-f3w2-fwch was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database