GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
151,738 advisories
copyparty: volflag `nohtml` did not block javascript in svg files
Moderate
CVE-2026-30974
was published
for
copyparty
(pip)
Mar 10, 2026
Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation
Moderate
CVE-2026-30964
was published
for
web-auth/webauthn-framework
(Composer)
Mar 10, 2026
OneUptime has WhatsApp Resend Verification Authorization Bypass
Moderate
CVE-2026-30959
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
Actual Sync Server has an Authenticated Path Traversal
Moderate
CVE-2026-3089
was published
for
@actual-app/sync-server
(npm)
Mar 10, 2026
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Moderate
CVE-2026-30938
was published
for
parse-server
(npm)
Mar 10, 2026
flarum/nicknames extension has display name injection in notification emails (autolink & markdown)
Moderate
CVE-2026-30913
was published
for
flarum/nicknames
(Composer)
Mar 10, 2026
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
Moderate
GHSA-9q36-67vc-rrwg
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: system.run allow-always persistence included shell-commented payload tails
Moderate
GHSA-9q2p-vc84-2rwm
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: `operator.write` chat.send could reach admin-only config writes
Moderate
GHSA-hfpr-jhpq-x4rm
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
Moderate
GHSA-r6qf-8968-wj9q
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping
Moderate
GHSA-pjvx-rx66-r3fg
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
Moderate
GHSA-3h2q-j2v4-6w5r
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots
Moderate
GHSA-j425-whc4-4jgc
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's hooks count non-POST requests toward auth lockout
Moderate
GHSA-6rmx-gvvg-vh6j
was published
for
openclaw
(npm)
Mar 9, 2026
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Moderate
CVE-2026-30854
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Moderate
CVE-2026-30850
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Moderate
CVE-2026-30848
was published
for
parse-server
(npm)
Mar 9, 2026
ProTip!
Advisories are also available from the
GraphQL API