Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,052
Maven
5,000+
npm
4,793
NuGet
825
pip
4,389
Pub
12
RubyGems
988
Rust
1,146
Swift
50
Unreviewed advisories
All unreviewed
5,000+

275 advisories

Loading
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only) Low
GHSA-fpg4-jhqr-589c was published for @sveltejs/kit (npm) Feb 28, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github and jviide jviide jviide
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder Low
CVE-2026-27942 was published for fast-xml-parser (npm) Feb 26, 2026
julianladisch Credited to julianladisch
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation Low
CVE-2026-22866 was published for @ensdomains/ens-contracts (npm) Feb 25, 2026
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows Low
CVE-2026-27484 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
devalue affected by CPU and memory amplification from sparse arrays Low
GHSA-33hq-fvwr-56pm was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Hono added timing comparison hardening in basicAuth and bearerAuth Low
GHSA-gq3j-xvxp-8hrf was published for hono (npm) Feb 19, 2026
Exagone313 Credited to Exagone313
Unauthorized npm publish of cline@2.3.0 with modified postinstall script Low
GHSA-9ppg-jx86-fqw7 was published for cline (npm) Feb 19, 2026
AdnaneKhan Credited to AdnaneKhan
OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch Low
GHSA-chm2-m3w2-wcxm was published for clawdbot (npm) Feb 17, 2026
vincentkoc Credited to vincentkoc
OpenClaw log poisoning (indirect prompt injection) via WebSocket headers Low
GHSA-g27f-9qjv-22pm was published for openclaw (npm) Feb 17, 2026
pkerkhofs Credited to pkerkhofs
OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions Low
CVE-2026-24764 was published for openclaw (npm) Feb 17, 2026
KonstantinMirin Credited to KonstantinMirin
qs's arrayLimit bypass in comma parsing allows denial of service Low
CVE-2026-2391 was published for qs (npm) Feb 12, 2026
SharokhAtaie Credited to SharokhAtaie and ljharb ljharb ljharb
Claude Code has Permission Deny Bypass Through Symbolic Links Low
CVE-2026-25724 was published for @anthropic-ai/claude-code (npm) Feb 6, 2026
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior Low
CVE-2025-68458 was published for webpack (npm) Feb 5, 2026
HanJeouk Credited to HanJeouk and alexander-akait alexander-akait alexander-akait
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence Low
CVE-2025-68157 was published for webpack (npm) Feb 5, 2026
HanJeouk Credited to HanJeouk and alexander-akait alexander-akait alexander-akait
Qwik City Open Redirect via fixTrailingSlash Low
CVE-2026-25149 was published for @builder.io/qwik-city (npm) Feb 3, 2026
wodzen Credited to wodzen
Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream Low
CVE-2026-25224 was published for fastify (npm) Feb 2, 2026
mcollina Credited to mcollina and onlybugs05-hackerone onlybugs05-hackerone onlybugs05-hackerone
Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy Low
CVE-2026-25050 was published for @vendure/core (npm) Jan 30, 2026
Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow` Low
CVE-2026-24048 was published for @backstage/backend-defaults (npm) Jan 21, 2026
Turbo Frame responses can restore stale session cookies Low
CVE-2025-66803 was published for @hotwired/turbo (npm) Jan 20, 2026
domchristie Credited to domchristie, packagethief, and samoli packagethief packagethief
samoli samoli
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion Low
CVE-2026-23522 was published for @lobehub/chat (npm) Jan 20, 2026
DenizParlak Credited to DenizParlak
Open Chinese Convert has Out-of-bounds Write Low
CVE-2025-15536 was published for opencc (npm) Jan 18, 2026
Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode Low
CVE-2026-23634 was published for pepr (npm) Jan 15, 2026
tghastings Credited to tghastings
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch Low
CVE-2026-24001 was published for diff (npm) Jan 14, 2026
guiyi-he Credited to guiyi-he, ExplodingCabbage, G-Rath, and CraigHammondDexcom ExplodingCabbage ExplodingCabbage
G-Rath G-Rath CraigHammondDexcom CraigHammondDexcom
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database