Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,927 advisories

Loading
Electron: Named window.open targets not scoped to the opener's browsing context Moderate
CVE-2026-34765 was published for electron (npm) Apr 7, 2026
HO-9 Credited to HO-9 and HanJeouk HanJeouk HanJeouk
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution Moderate
GHSA-rvqr-hrcc-j9vv was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Moderate
GHSA-6336-qqw9-v6x6 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get Moderate
GHSA-jjw7-3vjf-fg5j was published for openclaw (npm) Apr 2, 2026
ccreater222 Credited to ccreater222 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch Moderate
GHSA-4p4f-fc8q-84m3 was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
offset Credited to offset and tung2744 tung2744 tung2744
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
cylewaitforit Credited to cylewaitforit and jesvinjames jesvinjames jesvinjames
OpenClaw's config env vars allowed startup env injection into service runtime Moderate
CVE-2026-22177 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Axios HTTP/2 Session Cleanup State Corruption Vulnerability Moderate
CVE-2026-39865 was published for axios (npm) Apr 8, 2026
vmulas Credited to vmulas
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() Moderate
CVE-2026-39410 was published for hono (npm) Apr 8, 2026
tikitiki0370 Credited to tikitiki0370
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses Moderate
CVE-2026-39409 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono: Path traversal in toSSG() allows writing files outside the output directory Moderate
CVE-2026-39408 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39407 was published for hono (npm) Apr 8, 2026
blakeembrey Credited to blakeembrey
@hono/node-server: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39406 was published for @hono/node-server (npm) Apr 8, 2026
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) Moderate
GHSA-vvjj-xcjg-gr5g was published for nodemailer (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read Moderate
CVE-2026-39859 was published for liquidjs (npm) Apr 8, 2026
Ryu7zz Credited to Ryu7zz
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel Moderate
CVE-2026-39412 was published for liquidjs (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header Moderate
CVE-2026-39411 was published for @lobehub/lobehub (npm) Apr 8, 2026
13ernkastel Credited to 13ernkastel
Hono missing validation of cookie name on write path in setCookie() Moderate
GHSA-26pp-8wgv-hjvm was published for hono (npm) Apr 8, 2026
athuljayaram Credited to athuljayaram
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools Moderate
CVE-2026-39398 was published for openclaw-claude-bridge (npm) Apr 8, 2026
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
coursevault-preview has a path traversal due to improper base-directory boundary validation Moderate
CVE-2026-35613 was published for coursevault-preview (npm) Apr 8, 2026
moritzmyrz Credited to moritzmyrz and KevinJohannesen KevinJohannesen KevinJohannesen
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling Moderate
CVE-2026-39365 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, Ochk0, and bluwy Ochk0 Ochk0
bluwy bluwy
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database