Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

214 advisories

Loading
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews. Critical
CVE-2026-47430 was published for cordova-plugin-inappbrowser (npm) Jun 8, 2026
NiklasMerz Credited to NiklasMerz
DbGate: Unauthenticated Remote Code Execution via JSON Script Runner Critical
CVE-2026-47668 was published for dbgate-serve (npm) Jun 5, 2026
benharvey-sage Credited to benharvey-sage
AgenticMail API/storage and outbound relay hardening fixes High
CVE-2026-47255 was published for @agenticmail/api (npm) May 29, 2026
js-libp2p: Memory DoS via subscription flood of unique topics High
CVE-2026-46679 was published for @libp2p/gossipsub (npm) May 21, 2026
tahaafarooq Credited to tahaafarooq
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes High
CVE-2026-45783 was published for @libp2p/kad-dht (npm) May 19, 2026
tahaafarooq Credited to tahaafarooq
HAX CMS: Denial of Service using Malicious Import Request Moderate
CVE-2026-46357 was published for @haxtheweb/haxcms-nodejs (npm) May 19, 2026
silentrex04 Credited to silentrex04
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching Moderate
CVE-2026-46341 was published for @apify/actors-mcp-server (npm) May 19, 2026
yotampe-pluto Credited to yotampe-pluto
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation High
CVE-2026-45013 was published for apostrophe (npm) May 14, 2026
Mujahidkhan525 Credited to Mujahidkhan525 and VadlaReddySai VadlaReddySai VadlaReddySai
protobuf.js: Denial of service from crafted field names in generated code Moderate
CVE-2026-44294 was published for protobufjs (npm) May 12, 2026
VladimirEliTokarev Credited to VladimirEliTokarev and dcodeIO dcodeIO dcodeIO
Electerm users can run dangrous code through link or command line Critical
CVE-2026-43944 was published for electerm (npm) May 8, 2026
Curly-Haired-Baboon Credited to Curly-Haired-Baboon
Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker High
CVE-2026-42553 was published for cinny (npm) May 7, 2026
Quasar0147 Credited to Quasar0147
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` High
CVE-2026-42260 was published for open-websearch (npm) May 5, 2026
shmulc8 Credited to shmulc8
n8n has SQL Injection in Oracle Database Node via Limit Field Moderate
CVE-2026-42233 was published for n8n (npm) Apr 29, 2026
pawbednarz Credited to pawbednarz
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution High
CVE-2026-40068 was published for @anthropic-ai/claude-code (npm) Apr 24, 2026
Flowise: Parameter Override Bypass Remote Command Execution High
CVE-2026-41268 was published for flowise (npm) Apr 16, 2026
retpoline Credited to retpoline
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association High
CVE-2026-41267 was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts Moderate
CVE-2026-42423 was published for openclaw (npm) Apr 9, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() Moderate
CVE-2026-39410 was published for hono (npm) Apr 8, 2026
tikitiki0370 Credited to tikitiki0370
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections Moderate
CVE-2026-41372 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import High
CVE-2026-35409 was published for directus (npm) Apr 4, 2026
alissonbezerra Credited to alissonbezerra and odgrso odgrso odgrso
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Signal K Server: Arbitrary Prototype Read via `from` Field Bypass Low
CVE-2026-35038 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows Moderate
CVE-2026-34773 was published for electron (npm) Apr 3, 2026
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key Critical
CVE-2026-34950 was published for fast-jwt (npm) Apr 2, 2026
rtvkiz Credited to rtvkiz
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database