Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
42
Go
3,114
Maven
5,000+
npm
5,000+
NuGet
826
pip
4,428
Pub
12
RubyGems
988
Rust
1,171
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,867 advisories

Loading
Soroban: Muxed address<->ScVal conversions may break after a conversion failure Low
GHSA-pm4j-7r4q-ccg8 was published for soroban-env-host (Rust) Mar 7, 2026
Shescape has possible misidentification of shell due to link chains Low
GHSA-6f6w-6j58-rq76 was published for shescape (npm) Mar 7, 2026
Mercurius's queryDepth limit bypassed for WebSocket subscriptions Low
CVE-2026-30241 was published for mercurius (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet and mcollina mcollina mcollina
defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag Low
CVE-2026-30830 was published for defuddle (npm) Mar 6, 2026
TinkAnet Credited to TinkAnet
org.eclipse.jetty:jetty-http has different parsing of invalid URIs Low
CVE-2025-11143 was published for org.eclipse.jetty:jetty-http (Maven) Mar 5, 2026
zer0yu Credited to zer0yu
dbt-common's commonprefix() doesn't protect against path traversal Low
CVE-2026-29790 was published for dbt-common (pip) Mar 5, 2026
sethmlarson Credited to sethmlarson and emmyoop emmyoop emmyoop
Sliver is Vulnerable to Authenticated Nil-Pointer Dereference through its Handlers Low
CVE-2026-29781 was published for github.com/bishopfox/sliver (Go) Mar 5, 2026
skoveit Credited to skoveit
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass Low
CVE-2026-29184 was published for @backstage/plugin-scaffolder-backend (npm) Mar 5, 2026
Backstage vulnerable to potential reading of SCM URLs using built in token Low
CVE-2026-29185 was published for @backstage/integration (npm) Mar 5, 2026
OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
GHSA-vjp8-wprm-2jw9 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
Dark Reader gives users the ability to request style sheets from local web servers Low
CVE-2025-68467 was published for darkreader (npm) Mar 4, 2026
Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF) Low
CVE-2026-2994 was published for concrete5/concrete5 (Composer) Mar 4, 2026
OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode Low
GHSA-8mf7-vv8w-hjr2 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
GHSA-v6x2-2qvm-6gv8 was published for openclaw (npm) Mar 3, 2026
OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity Low
GHSA-gcj7-r3hg-m7w6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Microsoft Teams media fetch paths bypass shared SSRF guard model Low
GHSA-7qf6-h84j-8fq4 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's runtime /debug override path accepted prototype-reserved keys Low
GHSA-62f6-mrcj-v8h5 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions Low
GHSA-vvgp-4c28-m3jm was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options Low
GHSA-4mgv-366x-qxvx was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
aws-kms-tls-auth vulnerable to memory overallocation Low
GHSA-5whh-4q9j-7v28 was published for aws-kms-tls-auth (Rust) Mar 3, 2026
Django has a Race Condition vulnerability Low
CVE-2026-25674 was published for Django (pip) Mar 3, 2026
@tootallnate/once vulnerable to Incorrect Control Flow Scoping Low
CVE-2026-3449 was published for @tootallnate/once (npm) Mar 3, 2026
mailparser vulnerable to Cross-site Scripting Low
CVE-2026-3455 was published for mailparser (npm) Mar 3, 2026
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read Low
GHSA-5ghc-98wh-gwwf was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Low
GHSA-5f9p-f3w2-fwch was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database