Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,690
Maven
5,000+
npm
5,000+
NuGet
934
pip
4,928
Pub
13
RubyGems
1,053
Rust
1,322
Swift
53
Unreviewed advisories
All unreviewed
5,000+

410 advisories

Loading
rmcp Streamable HTTP server transport has a DNS rebinding vulnerability High
CVE-2026-42559 was published for rmcp (Rust) May 6, 2026
JLLeitschuh Credited to JLLeitschuh
OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
CVE-2026-41358 was published for openclaw (npm) May 4, 2026
AntAISecurityLab Credited to AntAISecurityLab
A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function... Low Unreviewed
CVE-2026-7643 was published May 2, 2026
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the... Low Unreviewed
CVE-2026-7581 was published May 1, 2026
AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs... Moderate Unreviewed
CVE-2026-7439 was published Apr 29, 2026
OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass... Moderate Unreviewed
CVE-2026-22077 was published Apr 27, 2026
Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
GHSA-7hrg-5w46-5r2x was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials High
GHSA-gv2f-q4wp-fvh5 was published for openclaw (npm) Apr 24, 2026 withdrawn
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
CVE-2026-41886 was published for locize (npm) Apr 22, 2026
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the... Moderate Unreviewed
CVE-2026-6662 was published Apr 20, 2026
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) Moderate
CVE-2026-40594 was published for pyload-ng (pip) Apr 16, 2026
offset Credited to offset
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses High
CVE-2026-41057 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. Affected by this issue... Moderate Unreviewed
CVE-2026-6143 was published Apr 13, 2026
Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55... Moderate Unreviewed
CVE-2026-5899 was published Apr 9, 2026
Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a... Moderate Unreviewed
CVE-2026-5918 was published Apr 9, 2026
Java-SDK has a DNS Rebinding Vulnerability High
CVE-2026-35568 was published for io.modelcontextprotocol.sdk:mcp-core (Maven) Apr 7, 2026
JLLeitschuh Credited to JLLeitschuh
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim Low
CVE-2026-37977 was published for org.keycloak:keycloak-services (Maven) Apr 6, 2026
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow Moderate
CVE-2026-34083 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration High
CVE-2026-41393 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Moderate
GHSA-mhr7-2xmv-4c4q was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Electron: Incorrect origin passed to permission request handler for iframe requests Moderate
CVE-2026-34777 was published for electron (npm) Apr 3, 2026
OpenClaw: Matrix thread root and reply context bypass sender allowlist Low
CVE-2026-41376 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown... Moderate Unreviewed
CVE-2026-5321 was published Apr 2, 2026
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database