Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,100
Maven
5,000+
npm
4,993
NuGet
826
pip
4,425
Pub
12
RubyGems
988
Rust
1,170
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,940 advisories

Loading
Flowise has Arbitrary File Upload via MIME Spoofing High
CVE-2026-30821 was published for flowise (npm) Mar 6, 2026
im-soohyun Credited to im-soohyun
Flowise has Authorization Bypass via Spoofed x-request-from Header High
CVE-2026-30820 was published for flowise (npm) Mar 6, 2026
N3mes1s Credited to N3mes1s
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user High
CVE-2026-30229 was published for parse-server (npm) Mar 6, 2026
devanshbatham Credited to devanshbatham and mtrezza mtrezza mtrezza
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network High
CVE-2026-30827 was published for express-rate-limit (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet
GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution High
CVE-2026-29783 was published for @github/copilot (npm) Mar 6, 2026
opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass High
CVE-2026-3125 was published for @opennextjs/cloudflare (npm) Mar 5, 2026
Ezzer17 Credited to Ezzer17
tar has Hardlink Path Traversal via Drive-Relative Linkpath High
CVE-2026-29786 was published for tar (npm) Mar 5, 2026
Jvr2022 Credited to Jvr2022
Ghost has incomplete CSRF protections around OTC use High
CVE-2026-29784 was published for ghost (npm) Mar 5, 2026
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction High
CVE-2026-29182 was published for parse-server (npm) Mar 5, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Multer Vulnerable to Denial of Service via Uncontrolled Recursion High
CVE-2026-3520 was published for multer (npm) Mar 5, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, ctcpip, and UlisesGascon ctcpip ctcpip
UlisesGascon UlisesGascon
TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution High
CVE-2026-29186 was published for @backstage/plugin-techdocs-node (npm) Mar 5, 2026
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) High
CVE-2026-29074 was published for svgo (npm) Mar 4, 2026
ByamB4 Credited to ByamB4 and isaacs isaacs isaacs
Immutable is vulnerable to Prototype Pollution High
CVE-2026-29063 was published for immutable (npm) Mar 4, 2026
davkharrr Credited to davkharrr
locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection High
CVE-2026-29091 was published for locutus (npm) Mar 4, 2026
tomasilluminati Credited to tomasilluminati
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware High
CVE-2026-29087 was published for @hono/node-server (npm) Mar 4, 2026
Hono vulnerable to arbitrary file access via serveStatic vulnerability High
CVE-2026-29045 was published for hono (npm) Mar 4, 2026
techfish-11 Credited to techfish-11 and EdamAme-x EdamAme-x EdamAme-x
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations High
GHSA-3jx4-q2m7-r496 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw Canvas Authentication Bypass Vulnerability High
GHSA-vvjh-f6p9-5vcf was published for openclaw (npm) Mar 4, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows High
GHSA-x2ff-j5c2-ggpr was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From High
GHSA-2ch6-x3g4-7759 was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains High
GHSA-jj82-76v6-933r was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths High
GHSA-m8v2-6wwh-r4gc was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Zip extraction symlink traversal could write outside destination High
GHSA-jxrq-8fm4-9p58 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw hook transform path containment missed symlink-resolved escapes High
GHSA-659f-22xc-98f2 was published for openclaw (npm) Mar 3, 2026
In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program High
GHSA-4gc7-qcvf-38wg was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database