Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,159 advisories

Loading
Parse Server's GraphQL WebSocket endpoint bypasses security middleware Moderate
CVE-2026-32594 was published for parse-server (npm) Mar 13, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Angular vulnerable to XSS in i18n attribute bindings High
CVE-2026-32635 was published for @angular/compiler (npm) Mar 13, 2026
alan-agius4 Credited to alan-agius4, AndrewKushnir, securityMB, josephperrott, and crisbeto AndrewKushnir AndrewKushnir
securityMB securityMB josephperrott josephperrott crisbeto crisbeto
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry Moderate
CVE-2026-32630 was published for file-type (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux) High
CVE-2026-32063 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
crypto-js uses insecure random numbers Moderate
CVE-2020-36732 was published for crypto-js (npm) Jun 12, 2023
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API High
CVE-2026-30946 was published for parse-server (npm) Mar 11, 2026
mtrezza Credited to mtrezza
OpenClaw session transcript files were created without forced user-only permissions Moderate
GHSA-vr7j-g7jv-h5mp was published for openclaw (npm) Mar 16, 2026
hsongkai11 Credited to hsongkai11
OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection High
GHSA-g2f6-pwvx-r275 was published for openclaw (npm) Mar 16, 2026
lintsinghua Credited to lintsinghua
OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion High
GHSA-jq3f-vjww-8rq7 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval High
GHSA-63f5-hhc7-cx6p was published for openclaw (npm) Mar 16, 2026
tdjackey Credited to tdjackey
OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs Moderate
GHSA-xwcj-hwhf-h378 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries High
CVE-2026-32728 was published for parse-server (npm) Mar 16, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script High
CVE-2026-4092 was published for @google/clasp (npm) Mar 13, 2026
g0w6y Credited to g0w6y
OneUptime: Password Reset Token Logged at INFO Level Moderate
CVE-2026-32598 was published for oneuptime (npm) Mar 13, 2026
n0rv-TvT Credited to n0rv-TvT
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode High
CVE-2026-32302 was published for openclaw (npm) Mar 12, 2026
yianworks Credited to yianworks
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters Critical
CVE-2026-32306 was published for oneuptime (npm) Mar 13, 2026
restriction Credited to restriction
OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose") High
CVE-2026-32308 was published for oneuptime (npm) Mar 13, 2026
restriction Credited to restriction
Locutus vulnerable to RCE via unsanitized input in create_function() Critical
CVE-2026-32304 was published for locutus (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
SandboxJS affected by a Sandbox Escape Critical
CVE-2026-26954 was published for @nyariv/sandboxjs (npm) Mar 13, 2026
c0rydoras Credited to c0rydoras
SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers Moderate
CVE-2026-32723 was published for @nyariv/sandboxjs (npm) Mar 16, 2026
Zwique Credited to Zwique, Lumb3, Ved235, BlguunBN, Och1r1, and b34rn00b Lumb3 Lumb3
Ved235 Ved235 BlguunBN BlguunBN Och1r1 Och1r1 b34rn00b b34rn00b
XSS in @leanprover/unicode-input-component Low
CVE-2026-32732 was published for @leanprover/unicode-input-component (npm) Mar 16, 2026
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens Low
CVE-2026-32638 was published for studiocms (npm) Mar 16, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
Uncontrolled memory allocation via crafted SVG dimensions in @dicebear/converter High
CVE-2026-29112 was published for @dicebear/converter (npm) Mar 16, 2026
maru1009 Credited to maru1009
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database