Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,024
Maven
5,000+
npm
4,758
NuGet
824
pip
4,365
Pub
12
RubyGems
987
Rust
1,142
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,115 advisories

Loading
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method Critical
CVE-2026-27699 was published for basic-ftp (npm) Feb 25, 2026
thecasual
Credited to thecasual
n8n: Expression Sandbox Escape Leads to RCE Critical
CVE-2026-27577 was published for n8n (npm) Feb 25, 2026
eilonc-pillar nil340
ediklab hackerman70000 zolbooo
Credited to eilonc-pillar, nil340, ediklab, hackerman70000, and zolbooo
n8n has Arbitrary Command Execution via File Write and Git Operations Critical
CVE-2026-27498 was published for n8n (npm) Feb 25, 2026
fatihhcelik
Credited to fatihhcelik
n8n has Potential Remote Code Execution via Merge Node Critical
CVE-2026-27497 was published for n8n (npm) Feb 25, 2026
allsmog nil340
Credited to allsmog and nil340
n8n has a Sandbox Escape in its JavaScript Task Runner Critical
CVE-2026-27495 was published for n8n (npm) Feb 25, 2026
c0rydoras
Credited to c0rydoras
n8n has Unauthenticated Expression Evaluation via Form Node Critical
CVE-2026-27493 was published for n8n (npm) Feb 25, 2026
eilonc-pillar
Credited to eilonc-pillar
Parse Dashboard is Missing Authorization for its Agent Endpoint Critical
CVE-2026-27608 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza ByamB4
Credited to mtrezza and ByamB4
Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) Critical
CVE-2026-27702 was published for budibase (npm) Feb 25, 2026
vicevirus
Credited to vicevirus
Parse Dashboard has incomplete authentication on AI Agent endpoint Critical
CVE-2026-27595 was published for parse-dashboard (npm) Feb 25, 2026
ByamB4 mtrezza
Credited to ByamB4 and mtrezza
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() Critical
CVE-2026-27728 was published for @oneuptime/common (npm) Feb 25, 2026
dxlerYT
Credited to dxlerYT
@enclave-vm/core is vulnerable to Sandbox Escape Critical
CVE-2026-27597 was published for @enclave-vm/core (npm) Feb 25, 2026
c0rydoras frontegg-david
Credited to c0rydoras and frontegg-david
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints Critical
CVE-2026-27584 was published for @actual-app/sync-server (npm) Feb 24, 2026
iamsilk
Credited to iamsilk
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE Critical
CVE-2026-27574 was published for @oneuptime/common (npm) Feb 24, 2026
ByamB4
Credited to ByamB4
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names Critical
CVE-2026-25896 was published for fast-xml-parser (npm) Feb 20, 2026
Ochk0
Credited to Ochk0
Prototype pollution in swiper Critical
CVE-2026-27212 was published for swiper (npm) Feb 19, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
Ghost has a SQL injection in Content API Critical
CVE-2026-26980 was published for ghost (npm) Feb 18, 2026
OpenClaw has a Path Traversal in Plugin Installation Critical
GHSA-qrq5-wjgg-rvqw was published for openclaw (npm) Feb 17, 2026
logicx24
Credited to logicx24
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching) Critical
GHSA-4rj2-gpmh-qq5x was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
MegaManSec
Credited to simecek, stanislavfortaisle, and MegaManSec
Nextcloud Talk allowlist bypass via actor.name display name spoofing Critical
GHSA-r5h9-vjqc-hq3r was published for @openclaw/nextcloud-talk (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
GHSA-fhvm-j76f-qmjv was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated Critical
GHSA-rv39-79c4-7459 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
set-in Affected by Prototype Pollution Critical
CVE-2026-26021 was published for set-in (npm) Feb 11, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
CASL Ability is Vulnerable to Prototype Pollution Critical
CVE-2026-1774 was published for @casl/ability (npm) Feb 10, 2026
FUXA Unauthenticated Remote Arbitrary Scheduler Write Critical
CVE-2026-25939 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database