Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,893
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

22 advisories

Loading
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes Critical
CVE-2026-6270 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, climba03003, and UlisesGascon climba03003 climba03003
UlisesGascon UlisesGascon
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option High
CVE-2026-33804 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, climba03003, and UlisesGascon mcollina mcollina
climba03003 climba03003 UlisesGascon UlisesGascon
Official Clerk JavaScript SDKs: Middleware-based route protection bypass Critical
CVE-2026-41248 was published for @clerk/astro (npm) Apr 16, 2026
YouGina Credited to YouGina
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) Critical
CVE-2026-33808 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes Critical
CVE-2026-33807 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config Low
CVE-2026-41388 was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
GHSA-mxmg-3p7m-2ghr was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text Moderate
GHSA-w6f4-3v35-qjhj was published for openclaw (npm) Mar 21, 2026 withdrawn
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv High
CVE-2026-32971 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run allow-always persistence included shell-commented payload tails Moderate
GHSA-9q2p-vc84-2rwm was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating Low
CVE-2026-27183 was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation Moderate
GHSA-796m-2973-wc5q was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text Moderate
CVE-2026-32052 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed Moderate
CVE-2026-32065 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists Moderate
GHSA-392f-ggf5-fp3c was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
Fastify's Content-Type header tab character allows body validation bypass High
CVE-2026-25223 was published for fastify (npm) Feb 2, 2026
jsumners Credited to jsumners
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization High
CVE-2025-12816 was published for node-forge (npm) Nov 26, 2025
wodzen Credited to wodzen and sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict High
GHSA-jj37-3377-m6vv was published for nodemailer (npm) Nov 14, 2025 withdrawn
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict Moderate
CVE-2025-13033 was published for nodemailer (npm) Oct 7, 2025
xclow3n Credited to xclow3n
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated Moderate
CVE-2023-30541 was published for @openzeppelin/contracts (npm) Apr 17, 2023
MarkLee131 Credited to MarkLee131
Misinterpretation of malicious XML input Moderate
CVE-2021-21366 was published for xmldom (npm) Mar 12, 2021
jupenur Credited to jupenur, karfau, and brody2consult karfau karfau
brody2consult brody2consult
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database