Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,891
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

2,088 advisories

Loading
sse-channel: SSE Injection via unsanitized event fields Moderate
CVE-2026-44217 was published for sse-channel (npm) May 5, 2026
SnailSploit Credited to SnailSploit
ip-address has XSS in Address6 HTML-emitting methods Moderate
CVE-2026-42338 was published for ip-address (npm) May 5, 2026
scovetta Credited to scovetta
@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS Moderate
GHSA-7xp7-m392-h92c was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload Moderate
GHSA-q8ff-7ffm-m3r9 was published for openclaw (npm) May 5, 2026
feynman-hou Credited to feynman-hou
@workos/authkit-session has an Open Redirect via state-derived redirect target Moderate
CVE-2026-42565 was published for @workos/authkit-session (npm) May 5, 2026
kenkunz Credited to kenkunz
LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution Moderate
CVE-2026-42045 was published for @lobehub/lobehub (npm) May 5, 2026
Hpd0ger Credited to Hpd0ger and aftern00n aftern00n aftern00n
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream Moderate
CVE-2026-42037 was published for axios (npm) May 5, 2026
kobi-s Credited to kobi-s
Axios: no_proxy bypass via IP alias allows SSRF Moderate
CVE-2026-42038 was published for axios (npm) May 5, 2026
srisowmya2000 Credited to srisowmya2000
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data Moderate
CVE-2026-42039 was published for axios (npm) May 5, 2026
fg0x0 Credited to fg0x0
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 Moderate
CVE-2026-42034 was published for axios (npm) May 5, 2026
asadeddin Credited to asadeddin
Axios: HTTP adapter streamed responses bypass maxContentLength Moderate
CVE-2026-42036 was published for axios (npm) May 5, 2026
asadeddin Credited to asadeddin
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion Moderate
CVE-2026-42042 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy Moderate
CVE-2026-42041 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` Moderate
CVE-2026-42044 was published for axios (npm) May 5, 2026
August829 Credited to August829
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
GHSA-5h3g-6xhh-rg6p was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs Moderate
GHSA-x3h8-jrgh-p8jx was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts Moderate
GHSA-55cf-xx38-4p9p was published for openclaw (npm) May 4, 2026
qi-scape Credited to qi-scape
OpenClaw's ACP child sessions inherit subagent security envelope constraints Moderate
GHSA-q3jj-46pq-826r was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw validates Zalo outbound photo URLs through the SSRF guard Moderate
GHSA-2hh7-c75g-qj2r was published for openclaw (npm) May 4, 2026
foodlook Credited to foodlook
Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool Moderate
CVE-2026-41686 was published for @anthropic-ai/sdk (npm) Apr 29, 2026
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Moderate
GHSA-c28g-vh7m-fm7v was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure Moderate
CVE-2026-42227 was published for n8n (npm) Apr 29, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
n8n Vulnerable to Hijacking of Unauthenticated Chat Execution Moderate
CVE-2026-42228 was published for n8n (npm) Apr 29, 2026
34selen Credited to 34selen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database