Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
45
GitHub Actions
47
Go
3,309
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,531
Pub
12
RubyGems
1,009
Rust
1,195
Swift
51
Unreviewed advisories
All unreviewed
5,000+

2,060 advisories

Loading
n8n Has External Secrets Authorization Bypass in Credential Saving High
CVE-2026-33722 was published for n8n (npm) Mar 25, 2026
Picomatch has a ReDoS vulnerability via extglob quantifiers High
CVE-2026-33671 was published for picomatch (npm) Mar 25, 2026
ByamB4 Credited to ByamB4 and danez danez danez
n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover High
CVE-2026-33665 was published for n8n (npm) Mar 25, 2026
weblover12 Credited to weblover12, 34selen, and B0RI 34selen 34selen
B0RI B0RI
n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition High
CVE-2026-33663 was published for n8n (npm) Mar 25, 2026
tr4ce-ju Credited to tr4ce-ju
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern High
CVE-2026-33287 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash High
CVE-2026-33285 was published for liquidjs (npm) Mar 25, 2026
koDove Credited to koDove
@grackle-ai/server has Missing WebSocket Origin Header Validation High
GHSA-w3hv-x4fp-6h6j was published for @grackle-ai/server (npm) Mar 25, 2026
@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool High
GHSA-647h-p824-99w7 was published for @grackle-ai/mcp (npm) Mar 25, 2026
n8n has In-Process Memory Disclosure in its Task Runner High
CVE-2026-27496 was published for n8n (npm) Mar 25, 2026
c0rydoras Credited to c0rydoras
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter High
CVE-2026-33539 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers High
CVE-2026-33538 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing High
GHSA-g3qj-j598-cxmq was published for fido2-lib (npm) Mar 24, 2026
Xvush Credited to Xvush and JamesCullum JamesCullum JamesCullum
Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf High
GHSA-9f79-7pw8-3fj8 was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class) High
GHSA-rj39-33v7-9xrq was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication High
GHSA-cxcw-jm67-3wwp was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes High
GHSA-qwmf-95r9-gx9x was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels High
GHSA-xq3g-m3j8-2vmm was published for openclaw (npm) Mar 21, 2026 withdrawn
Parse Server LiveQuery subscription query depth bypass High
CVE-2026-33508 was published for parse-server (npm) Mar 20, 2026
mith36 Credited to mith36 and mtrezza mtrezza mtrezza
Parse Server has a query condition depth bypass via pre-validation transform pipeline High
CVE-2026-33498 was published for parse-server (npm) Mar 20, 2026
nikoladzekic Credited to nikoladzekic and mtrezza mtrezza mtrezza
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings High
CVE-2026-33468 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. High
CVE-2026-33442 was published for kysely (npm) Mar 20, 2026
offset Credited to offset and igalklebanov igalklebanov igalklebanov
Parse Server's LiveQuery bypasses CLP pointer permission enforcement High
CVE-2026-33421 was published for parse-server (npm) Mar 20, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize() High
CVE-2026-33418 was published for @dicebear/converter (npm) Mar 20, 2026
offset Credited to offset
Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC High
CVE-2026-32887 was published for effect (npm) Mar 20, 2026
jamesone Credited to jamesone
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database