Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,715
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,941
Pub
13
RubyGems
1,055
Rust
1,333
Swift
54
Unreviewed advisories
All unreviewed
5,000+

18 advisories

Loading
Mojic: Observable Timing Discrepancy in HMAC Verification Moderate
CVE-2026-41244 was published for mojic (npm) Apr 16, 2026
notamitgamer2 Credited to notamitgamer2 and notamitgamer notamitgamer notamitgamer
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint Low
CVE-2026-33877 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
Sync-in Server has Username Enumeration via Timing Attack Moderate
CVE-2026-41161 was published for @sync-in/server (npm) Apr 15, 2026
ppfeister Credited to ppfeister and 7185 7185 7185
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
OpenClaw: Shared-secret comparison call sites leaked length information through timing Moderate
CVE-2026-41407 was published for openclaw (npm) Apr 7, 2026
kexinoh Credited to kexinoh
h3 has an observable timing discrepancy in basic auth utils Moderate
CVE-2026-33129 was published for h3 (npm) Mar 18, 2026
simonkoeck Credited to simonkoeck
@perfood/couch-auth has an Observable Timing Discrepancy High
CVE-2025-70949 was published for @perfood/couch-auth (npm) Mar 5, 2026
OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check Moderate
GHSA-h656-5vcf-cm23 was published for openclaw (npm) Mar 3, 2026
v8hid Credited to v8hid
OpenClaw has non-constant-time token comparison in hooks authentication High
CVE-2026-28464 was published for openclaw (npm) Mar 2, 2026
akhmittra Credited to akhmittra
OpenClaw: Config writes could persist resolved ${VAR} secrets to disk Moderate
CVE-2026-28475 was published for openclaw (npm) Mar 2, 2026
Abeyron Credited to Abeyron
Hono added timing comparison hardening in basicAuth and bearerAuth Low
GHSA-gq3j-xvxp-8hrf was published for hono (npm) Feb 19, 2026
Exagone313 Credited to Exagone313
basic-auth-connect's callback uses time unsafe string comparison High
CVE-2024-47178 was published for basic-auth-connect (npm) Sep 30, 2024
UlisesGascon Credited to UlisesGascon, ctcpip, AdamKorcz, and blakeembrey ctcpip ctcpip
AdamKorcz AdamKorcz blakeembrey blakeembrey
generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character High
CVE-2015-20110 was published for generator-jhipster (npm) Oct 31, 2023
fastify-bearer-auth vulnerable to Timing Attack Vector High
CVE-2022-31142 was published for @fastify/bearer-auth (npm) Jul 15, 2022
Uzlopak Credited to Uzlopak
Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime Moderate
CVE-2021-29446 was published for jose-node-cjs-runtime (npm) Apr 19, 2021
Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime Moderate
CVE-2021-29445 was published for jose-node-esm-runtime (npm) Apr 19, 2021
express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison Low
GHSA-c35v-qwqg-87jc was published for express-basic-auth (npm) Jun 6, 2019
Timing Attack in csrf-lite High
CVE-2016-10535 was published for csrf-lite (npm) Feb 18, 2019
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database