Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

213 advisories

Loading
Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL High
CVE-2026-48152 was published for @budibase/server (npm) Jun 12, 2026
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending High
CVE-2026-45337 was published for better-auth (npm) Jun 4, 2026
whrit Credited to whrit
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass High
CVE-2026-43947 was published for fuxa-server (npm) May 26, 2026
AbdrrahimDahmani Credited to AbdrrahimDahmani
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue High
CVE-2026-43946 was published for fuxa-server (npm) May 26, 2026
anyzy2003 Credited to anyzy2003
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection High
CVE-2026-43945 was published for @frangoteam/fuxa (npm) May 26, 2026
ud444ng Credited to ud444ng
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation Low
CVE-2026-46549 was published for nocodb (npm) May 21, 2026
ik0z Credited to ik0z
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement High
CVE-2026-46519 was published for mcp-server-kubernetes (npm) May 21, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows Moderate
GHSA-c2c9-mfw7-p8hw was published for flowise (npm) May 20, 2026
offset Credited to offset
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows Moderate
CVE-2026-45718 was published for budibase (npm) May 18, 2026
offset Credited to offset
Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in Moderate
GHSA-9j32-3m66-mc4m was published for openclaw (npm) May 11, 2026 withdrawn
Duplicate Advisory: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Low
GHSA-p3pv-c954-9m6f was published for openclaw (npm) May 11, 2026 withdrawn
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n High
CVE-2026-44573 was published for next (npm) May 11, 2026
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape Critical
CVE-2026-43999 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks Moderate
CVE-2026-44374 was published for @backstage/plugin-catalog-backend-module-unprocessed (npm) May 6, 2026
Duplicate Advisory: OpenClaw: Matrix room control-command authorization no longer trusts DM pairing-store entries High
GHSA-79rr-5c85-xvw3 was published for openclaw (npm) May 6, 2026 withdrawn
Auth.js SDK has Improper Permission Checking High
CVE-2026-42280 was published for auth0-js (npm) May 6, 2026
Clerk has an authorization bypass when combining organization, billing, or reverification checks High
CVE-2026-42349 was published for @clerk/astro (npm) Apr 30, 2026
OpenClaw: Paired-device pairing actions were not limited to the caller device Low
GHSA-xrq9-jm7v-g9h7 was published for openclaw (npm) Apr 25, 2026
Hinotoi-agent Credited to Hinotoi-agent
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy Moderate
GHSA-72q8-jcmc-97wx was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization Low
CVE-2026-41908 was published for openclaw (npm) Apr 25, 2026
Kherrisan Credited to Kherrisan
Duplicate Advisory: OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Low
GHSA-qgp3-3rj7-qqq4 was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` Moderate
GHSA-v3c2-39fm-jq4h was published for openclaw (npm) Apr 24, 2026 withdrawn
Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization Low
GHSA-qgx9-6px9-7p75 was published for openclaw (npm) Apr 23, 2026 withdrawn
@saltcorn/data: Tenant user role is used for tenant creation role check High
GHSA-9237-rg5p-rhfw was published for @saltcorn/data (npm) Apr 22, 2026
j2l Credited to j2l
Auth0 Next.js SDK has Improper Proxy Cache Lookup Moderate
CVE-2026-40155 was published for @auth0/nextjs-auth0 (npm) Apr 21, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database