Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,755 advisories

Loading
Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands Moderate
CVE-2026-29772 was published for @astrojs/node (npm) Mar 24, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Parse Server's Session Update endpoint allows overwriting server-generated session fields Moderate
CVE-2026-33527 was published for parse-server (npm) Mar 24, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation Moderate
GHSA-fp4x-ggrf-wmc6 was published for h3 (npm) Mar 23, 2026
restriction Credited to restriction
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service Moderate
GHSA-q5pr-72pq-83v3 was published for h3 (npm) Mar 23, 2026
restriction Credited to restriction
Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
GHSA-rcx4-77x4-hjx5 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
GHSA-vh4c-j2xv-9pv9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress Moderate
GHSA-g839-vp47-wgh8 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse Moderate
GHSA-3r78-rqg8-95gg was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
GHSA-mxmg-3p7m-2ghr was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Moderate
GHSA-xh9j-mpc9-2m9p was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers Moderate
GHSA-xgwg-m42c-8q62 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text Moderate
GHSA-w6f4-3v35-qjhj was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks Moderate
GHSA-86jj-29wc-7q2w was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability Moderate
GHSA-q94v-v6m9-jhq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host Moderate
GHSA-3p2x-hjxj-c7rv was published for openclaw (npm) Mar 21, 2026 withdrawn
h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix) Moderate
GHSA-4hxc-9384-m385 was published for h3 (npm) Mar 20, 2026
restriction Credited to restriction
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e` Moderate
GHSA-72gr-qfp7-vwhw was published for h3 (npm) Mar 20, 2026
restriction Credited to restriction
Parse Server has a protected field change detection oracle via LiveQuery watch parameter Moderate
CVE-2026-33429 was published for parse-server (npm) Mar 20, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled Moderate
GHSA-pgx6-7jcq-2qff was published for @pdfme/common (npm) Mar 20, 2026
restriction Credited to restriction
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel Moderate
GHSA-xgx4-2wgv-4jhm was published for @pdfme/schemas (npm) Mar 20, 2026
restriction Credited to restriction
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS Moderate
GHSA-vrqm-gvq7-rrwh was published for @pdfme/pdf-lib (npm) Mar 20, 2026
restriction Credited to restriction
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR Moderate
CVE-2026-33397 was published for @angular/ssr (npm) Mar 19, 2026
VenkatKwest Credited to VenkatKwest, alan-agius4, securityMB, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
securityMB securityMB josephperrott josephperrott AndrewKushnir AndrewKushnir
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
restriction Credited to restriction
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix) Moderate
CVE-2026-33326 was published for @keystone-6/core (npm) Mar 19, 2026
n0wsh Credited to n0wsh
Parse Server email verification resend page leaks user existence Moderate
CVE-2026-33323 was published for parse-server (npm) Mar 19, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database