Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,972 advisories

Loading
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream Moderate
CVE-2026-42037 was published for axios (npm) May 5, 2026
kobi-s Credited to kobi-s
Axios: no_proxy bypass via IP alias allows SSRF Moderate
CVE-2026-42038 was published for axios (npm) May 5, 2026
srisowmya2000 Credited to srisowmya2000
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data Moderate
CVE-2026-42039 was published for axios (npm) May 5, 2026
fg0x0 Credited to fg0x0
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 Moderate
CVE-2026-42034 was published for axios (npm) May 5, 2026
asadeddin Credited to asadeddin
Axios: HTTP adapter streamed responses bypass maxContentLength Moderate
CVE-2026-42036 was published for axios (npm) May 5, 2026
asadeddin Credited to asadeddin
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking High
CVE-2026-42033 was published for axios (npm) May 5, 2026
dolevmiz1 Credited to dolevmiz1
Axios: Header Injection via Prototype Pollution High
CVE-2026-42035 was published for axios (npm) May 5, 2026
raulvdv Credited to raulvdv
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion Moderate
CVE-2026-42042 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy Moderate
CVE-2026-42041 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 High
CVE-2026-42043 was published for axios (npm) May 5, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` Moderate
CVE-2026-42044 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking High
CVE-2026-42264 was published for axios (npm) May 5, 2026
bulmax9797-sketch Credited to bulmax9797-sketch
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams Low
CVE-2026-42040 was published for axios (npm) May 5, 2026
August829 Credited to August829
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
GHSA-5h3g-6xhh-rg6p was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root High
GHSA-wppj-c6mr-83jj was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force) High
CVE-2026-41893 was published for signalk-server (npm) May 4, 2026
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs Moderate
GHSA-x3h8-jrgh-p8jx was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
GHSA-r6xh-pqhr-v4xh was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts Moderate
GHSA-55cf-xx38-4p9p was published for openclaw (npm) May 4, 2026
qi-scape Credited to qi-scape
OpenClaw's ACP child sessions inherit subagent security envelope constraints Moderate
GHSA-q3jj-46pq-826r was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw validates Zalo outbound photo URLs through the SSRF guard Moderate
GHSA-2hh7-c75g-qj2r was published for openclaw (npm) May 4, 2026
foodlook Credited to foodlook
OpenClaw: Slack thread context could include messages from non-allowlisted senders Low
CVE-2026-41358 was published for openclaw (npm) May 4, 2026
AntAISecurityLab Credited to AntAISecurityLab
VM2 Sandbox Breakout Through __lookupGetter__ Critical
CVE-2026-24118 was published for vm2 (npm) May 4, 2026
XmiliaH Credited to XmiliaH
Clerk has an authorization bypass when combining organization, billing, or reverification checks High
CVE-2026-42349 was published for @clerk/astro (npm) Apr 30, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database