Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
45
GitHub Actions
47
Go
3,309
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,531
Pub
12
RubyGems
1,009
Rust
1,195
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,761 advisories

Loading
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no Moderate
CVE-2026-33724 was published for n8n (npm) Mar 25, 2026
kolega-ai-dev Credited to kolega-ai-dev
n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK Moderate
CVE-2026-33720 was published for n8n (npm) Mar 25, 2026
subhanUmer Credited to subhanUmer
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching Moderate
CVE-2026-33672 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4 and danez danez danez
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines Moderate
GHSA-v3rj-xjv7-4jmq was published for smol-toml (npm) Mar 25, 2026
0xkakash1 Credited to 0xkakash1
yaml is vulnerable to Stack Overflow via deeply nested YAML collections Moderate
CVE-2026-33532 was published for yaml (npm) Mar 25, 2026
kq5y Credited to kq5y and peaktwilight peaktwilight peaktwilight
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections Moderate
CVE-2026-3635 was published for fastify (npm) Mar 25, 2026
TinkAnet Credited to TinkAnet, climba03003, mcollina, and UlisesGascon climba03003 climba03003
mcollina mcollina UlisesGascon UlisesGascon
@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers Moderate
GHSA-3mjm-x6gw-2x42 was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/powerline Runs Without Authentication by Default Moderate
GHSA-xq7h-vwjp-5vrh was published for @grackle-ai/powerline (npm) Mar 25, 2026
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands Moderate
CVE-2026-29772 was published for @astrojs/node (npm) Mar 24, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Parse Server's Session Update endpoint allows overwriting server-generated session fields Moderate
CVE-2026-33527 was published for parse-server (npm) Mar 24, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation Moderate
GHSA-fp4x-ggrf-wmc6 was published for h3 (npm) Mar 23, 2026
offset Credited to offset
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service Moderate
GHSA-q5pr-72pq-83v3 was published for h3 (npm) Mar 23, 2026
offset Credited to offset
Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-rcx4-77x4-hjx5 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
GHSA-vh4c-j2xv-9pv9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress Moderate
GHSA-g839-vp47-wgh8 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse Moderate
GHSA-3r78-rqg8-95gg was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
GHSA-mxmg-3p7m-2ghr was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Moderate
GHSA-xh9j-mpc9-2m9p was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers Moderate
GHSA-xgwg-m42c-8q62 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text Moderate
GHSA-w6f4-3v35-qjhj was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks Moderate
GHSA-86jj-29wc-7q2w was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability Moderate
GHSA-q94v-v6m9-jhq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host Moderate
GHSA-3p2x-hjxj-c7rv was published for openclaw (npm) Mar 21, 2026 withdrawn
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix) Moderate
GHSA-4hxc-9384-m385 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e` Moderate
GHSA-72gr-qfp7-vwhw was published for h3 (npm) Mar 20, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database