Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,323
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,533
Pub
12
RubyGems
1,010
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,781 advisories

Loading
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention Moderate
GHSA-9q82-xgwf-vj6h was published for @apollo/server (npm) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts Moderate
GHSA-cfp9-w5v9-3q4h was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision Moderate
GHSA-rqp8-q22p-5j9q was published for openclaw (npm) Mar 26, 2026
tdjackey Credited to tdjackey
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions Moderate
GHSA-x2cm-hg9c-mf5w was published for openclaw (npm) Mar 26, 2026
space08 Credited to space08
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection Moderate
GHSA-844j-xrrq-wgh4 was published for openclaw (npm) Mar 26, 2026
lintsinghua Credited to lintsinghua
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Moderate
GHSA-xhq5-45pm-2gjr was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete Moderate
GHSA-vfg3-pqpq-93m4 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
GHSA-8883-9w57-vwv6 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status Moderate
GHSA-ppwq-6v66-5m6j was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw may have stale policy enforcement for queued node actions Moderate
GHSA-wj55-88gf-x564 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling Moderate
GHSA-rm59-992w-x2mv was published for openclaw (npm) Mar 26, 2026
SEORY0 Credited to SEORY0
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution Moderate
GHSA-rvqr-hrcc-j9vv was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation Moderate
GHSA-h3x4-hc5v-v2gm was published for openclaw (npm) Mar 26, 2026
RacerZ-fighting Credited to RacerZ-fighting and Fushuling Fushuling Fushuling
OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication Moderate
GHSA-6mqc-jqh6-x8fc was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771
Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path` Moderate
CVE-2026-33768 was published for @astrojs/vercel (npm) Mar 26, 2026
jp-soba Credited to jp-soba
n8n Vulnerable to LDAP Filter Injection in LDAP Node Moderate
CVE-2026-33751 was published for n8n (npm) Mar 26, 2026
allsmog Credited to allsmog
brace-expansion: Zero-step sequence causes process hang and memory exhaustion Moderate
CVE-2026-33750 was published for brace-expansion (npm) Mar 26, 2026
subhashdasyam Credited to subhashdasyam and katzj katzj katzj
n8n Vulnerable to XSS via Binary Data Inline HTML Rendering Moderate
CVE-2026-33749 was published for n8n (npm) Mar 26, 2026
simonkoeck Credited to simonkoeck
srvx is vulnerable to middleware bypass via absolute URI in request line Moderate
CVE-2026-33732 was published for srvx (npm) Mar 26, 2026
hibwyli Credited to hibwyli
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no Moderate
CVE-2026-33724 was published for n8n (npm) Mar 25, 2026
kolega-ai-dev Credited to kolega-ai-dev
n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK Moderate
CVE-2026-33720 was published for n8n (npm) Mar 25, 2026
subhanUmer Credited to subhanUmer
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching Moderate
CVE-2026-33672 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4 and danez danez danez
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines Moderate
GHSA-v3rj-xjv7-4jmq was published for smol-toml (npm) Mar 25, 2026
0xkakash1 Credited to 0xkakash1
yaml is vulnerable to Stack Overflow via deeply nested YAML collections Moderate
CVE-2026-33532 was published for yaml (npm) Mar 25, 2026
kq5y Credited to kq5y and peaktwilight peaktwilight peaktwilight
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database