GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,147 advisories
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Critical
GHSA-rqpp-rjj8-7wv8
was published
for
openclaw
(npm)
Mar 13, 2026
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Critical
CVE-2026-32621
was published
for
@apollo/federation-internals
(npm)
Mar 13, 2026
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
Locutus vulnerable to RCE via unsanitized input in create_function()
Critical
CVE-2026-32304
was published
for
locutus
(npm)
Mar 13, 2026
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
Critical
GHSA-4jpw-hj22-2xmc
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Critical
GHSA-xw77-45gv-p728
was published
for
openclaw
(npm)
Mar 13, 2026
SandboxJS affected by a Sandbox Escape
Critical
CVE-2026-26954
was published
for
@nyariv/sandboxjs
(npm)
Mar 13, 2026
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Critical
CVE-2026-28792
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
Parse Server: Account takeover via operator injection in authentication data identifier
Critical
CVE-2026-32248
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Critical
CVE-2026-32242
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
Critical
CVE-2026-31862
was published
for
@siteboon/claudecodeui
(npm)
Mar 11, 2026
Parse Server has role escalation and CLP bypass via direct `_Join` table write
Critical
CVE-2026-30966
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Critical
CVE-2026-30965
was published
for
parse-server
(npm)
Mar 11, 2026
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Critical
CVE-2026-29793
was published
for
@feathersjs/mongodb
(npm)
Mar 10, 2026
Feathers has an OAuth Callback Account Takeover issue
Critical
CVE-2026-29792
was published
for
@feathersjs/authentication-oauth
(npm)
Mar 10, 2026
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
Critical
CVE-2026-28292
was published
for
simple-git
(npm)
Mar 10, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30957
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Critical
CVE-2026-30956
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Critical
CVE-2026-30863
was published
for
parse-server
(npm)
Mar 9, 2026
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30921
was published
for
@oneuptime/common
(npm)
Mar 7, 2026
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Critical
CVE-2026-30887
was published
for
@oneuptime/common
(npm)
Mar 7, 2026
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
Critical
CVE-2026-28466
was published
for
openclaw
(npm)
Mar 2, 2026
ProTip!
Advisories are also available from the
GraphQL API