GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,782 advisories
Katello uses hard coded credential
Critical
CVE-2012-3503
was published
for
katello
(RubyGems)
May 17, 2022
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Critical
GHSA-rqpp-rjj8-7wv8
was published
for
openclaw
(npm)
Mar 13, 2026
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Critical
CVE-2026-32621
was published
for
@apollo/federation-internals
(npm)
Mar 13, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Critical
CVE-2026-32301
was published
for
github.com/centrifugal/centrifugo/v6
(Go)
Mar 13, 2026
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
Locutus vulnerable to RCE via unsanitized input in create_function()
Critical
CVE-2026-32304
was published
for
locutus
(npm)
Mar 13, 2026
SM9 Infinity-Point Ciphertext Forgery Vulnerability
Critical
CVE-2026-32614
was published
for
github.com/emmansun/gmsm
(Go)
Mar 13, 2026
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
Critical
GHSA-4jpw-hj22-2xmc
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Critical
GHSA-xw77-45gv-p728
was published
for
openclaw
(npm)
Mar 13, 2026
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Critical
CVE-2026-31886
was published
for
github.com/dagu-org/dagu
(Go)
Mar 13, 2026
SandboxJS affected by a Sandbox Escape
Critical
CVE-2026-26954
was published
for
@nyariv/sandboxjs
(npm)
Mar 13, 2026
Parse Server: Account takeover via operator injection in authentication data identifier
Critical
CVE-2026-32248
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Critical
CVE-2026-32242
was published
for
parse-server
(npm)
Mar 12, 2026
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Critical
CVE-2026-28792
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Critical
CVE-2026-32136
was published
for
github.com/AdguardTeam/AdGuardHome
(Go)
Mar 12, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
xygeni-action v5 tag poisoned with C2 backdoor
Critical
CVE-2026-31976
was published
for
xygeni/xygeni-action
(GitHub Actions)
Mar 11, 2026
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
Critical
CVE-2026-31871
was published
for
parse-server
(npm)
Mar 11, 2026
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
Critical
CVE-2026-31862
was published
for
@siteboon/claudecodeui
(npm)
Mar 11, 2026
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Critical
CVE-2026-31856
was published
for
parse-server
(npm)
Mar 11, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
n8n Vulnerable to Remote Code Execution via Expression Injection
Critical
CVE-2025-68613
was published
for
n8n
(npm)
Dec 22, 2025
ProTip!
Advisories are also available from the
GraphQL API