Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,022
Maven
5,000+
npm
4,748
NuGet
824
pip
4,364
Pub
12
RubyGems
987
Rust
1,141
Swift
50
Unreviewed advisories
All unreviewed
5,000+

4,748 advisories

Loading
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions High
CVE-2026-27610 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza
Credited to mtrezza
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint High
CVE-2026-27609 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza
Credited to mtrezza
Parse Dashboard is Missing Authorization for its Agent Endpoint Critical
CVE-2026-27608 was published for parse-dashboard (npm) Feb 25, 2026
mtrezza ByamB4
Credited to mtrezza and ByamB4
Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) Critical
CVE-2026-27702 was published for budibase (npm) Feb 25, 2026
vicevirus
Credited to vicevirus
Parse Dashboard has incomplete authentication on AI Agent endpoint Critical
CVE-2026-27595 was published for parse-dashboard (npm) Feb 25, 2026
ByamB4 mtrezza
Credited to ByamB4 and mtrezza
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation Low
CVE-2026-22866 was published for @ensdomains/ens-contracts (npm) Feb 25, 2026
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize Moderate
CVE-2026-27829 was published for @astrojs/node (npm) Feb 25, 2026
pHo9UBenaA
Credited to pHo9UBenaA
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() Critical
CVE-2026-27728 was published for @oneuptime/common (npm) Feb 25, 2026
dxlerYT
Credited to dxlerYT
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x
Credited to EdamAme-x
@enclave-vm/core is vulnerable to Sandbox Escape Critical
CVE-2026-27597 was published for @enclave-vm/core (npm) Feb 25, 2026
c0rydoras frontegg-david
Credited to c0rydoras and frontegg-david
repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard Moderate
CVE-2026-27612 was published for repostat (npm) Feb 25, 2026
denpiligrim
Credited to denpiligrim
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints Critical
CVE-2026-27584 was published for @actual-app/sync-server (npm) Feb 24, 2026
iamsilk
Credited to iamsilk
Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads Moderate
CVE-2026-27567 was published for payload (npm) Feb 24, 2026
r3dbrothers
Credited to r3dbrothers
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE Critical
CVE-2026-27574 was published for @oneuptime/common (npm) Feb 24, 2026
ByamB4
Credited to ByamB4
Astro has Full-Read SSRF in error rendering via Host: header injection Moderate
CVE-2026-25545 was published for @astrojs/node (npm) Feb 23, 2026
Aikido-Security reindaelman
JorianWoltjer grumpinout1
Credited to Aikido-Security, reindaelman, JorianWoltjer, and grumpinout1
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs Moderate
CVE-2026-27576 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused Moderate
CVE-2026-27492 was published for lettermint (npm) Feb 20, 2026
OpenClaw hardened cron webhook delivery against SSRF Moderate
CVE-2026-27488 was published for openclaw (npm) Feb 20, 2026
Adam55A-code
Credited to Adam55A-code
OpenClaw: Reject symlinks in local skill packaging script Moderate
CVE-2026-27485 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows Low
CVE-2026-27484 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent
Credited to aether-ai-agent
Sync-in Server has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-67438 was published for @sync-in/server (npm) Feb 20, 2026
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names Critical
CVE-2026-25896 was published for fast-xml-parser (npm) Feb 20, 2026
Ochk0
Credited to Ochk0
bn.js affected by an infinite loop Moderate
CVE-2026-2739 was published for bn.js (npm) Feb 20, 2026
richardsimko jochenschmich-aeberle
Credited to richardsimko and jochenschmich-aeberle
OpenClaw safeBins file-existence oracle information disclosure Moderate
GHSA-6c9j-x93c-rw6j was published for openclaw (npm) Feb 19, 2026
nedlir
Credited to nedlir
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir
Credited to nedlir
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database