Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,143
Maven
5,000+
npm
5,000+
NuGet
840
pip
4,439
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,137 advisories

Loading
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL Critical
CVE-2026-31871 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL Critical
CVE-2026-31856 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters Critical
CVE-2026-31862 was published for @siteboon/claudecodeui (npm) Mar 11, 2026
toufik-airane Credited to toufik-airane and neo-ai-engineer neo-ai-engineer neo-ai-engineer
Parse Server has role escalation and CLP bypass via direct `_Join` table write Critical
CVE-2026-30966 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter Critical
CVE-2026-30965 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter Critical
CVE-2026-29793 was published for @feathersjs/mongodb (npm) Mar 10, 2026
sofianeelhor Credited to sofianeelhor
Feathers has an OAuth Callback Account Takeover issue Critical
CVE-2026-29792 was published for @feathersjs/authentication-oauth (npm) Mar 10, 2026
sofianeelhor Credited to sofianeelhor
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE Critical
CVE-2026-28292 was published for simple-git (npm) Mar 10, 2026
CodeAnt-AI-Security Credited to CodeAnt-AI-Security
Parse Server: SQL injection via dot-notation field name in PostgreSQL Critical
CVE-2026-31840 was published for parse-server (npm) Mar 10, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30957 was published for @oneuptime/common (npm) Mar 10, 2026
maru1009 Credited to maru1009
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover Critical
CVE-2026-30956 was published for @oneuptime/common (npm) Mar 10, 2026
Zwique Credited to Zwique
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters Critical
CVE-2026-30863 was published for parse-server (npm) Mar 9, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object Critical
CVE-2026-30921 was published for @oneuptime/common (npm) Mar 7, 2026
maru1009 Credited to maru1009
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE Critical
CVE-2026-30887 was published for @oneuptime/common (npm) Mar 7, 2026
hunterxsirago1 Credited to hunterxsirago1
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway Critical
CVE-2026-28466 was published for openclaw (npm) Mar 2, 2026
222n5 Credited to 222n5
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write Critical
GHSA-fgvx-58p6-gjwc was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths Critical
GHSA-6f6j-wx9w-ff4j was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization Critical
CVE-2026-28794 was published for @orpc/client (npm) Mar 2, 2026
mnixry Credited to mnixry
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization Critical
CVE-2026-27971 was published for @builder.io/qwik (npm) Mar 2, 2026
sebastianosrt Credited to sebastianosrt
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode Critical
CVE-2026-28363 was published for openclaw (npm) Feb 27, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline Critical
CVE-2026-27739 was published for @angular/ssr (npm) Feb 25, 2026
Yenya030 Credited to Yenya030, alan-agius4, securityMB, AndrewKushnir, josephperrott, and dgp1130 alan-agius4 alan-agius4
securityMB securityMB AndrewKushnir AndrewKushnir josephperrott josephperrott dgp1130 dgp1130
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method Critical
CVE-2026-27699 was published for basic-ftp (npm) Feb 25, 2026
thecasual Credited to thecasual
n8n: Expression Sandbox Escape Leads to RCE Critical
CVE-2026-27577 was published for n8n (npm) Feb 25, 2026
eilonc-pillar Credited to eilonc-pillar, nil340, ediklab, hackerman70000, and zolbooo nil340 nil340
ediklab ediklab hackerman70000 hackerman70000 zolbooo zolbooo
n8n has Arbitrary Command Execution via File Write and Git Operations Critical
CVE-2026-27498 was published for n8n (npm) Feb 25, 2026
fatihhcelik Credited to fatihhcelik
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database