Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,518
Maven
5,000+
npm
5,000+
NuGet
911
pip
4,758
Pub
13
RubyGems
1,036
Rust
1,228
Swift
53
Unreviewed advisories
All unreviewed
5,000+

24 advisories

Loading
MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting High
CVE-2026-39884 was published for mcp-server-kubernetes (npm) Apr 14, 2026
TharVid Credited to TharVid
SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh High
GHSA-p4h8-56qp-hpgv was published for @aiondadotcom/mcp-ssh (npm) Apr 14, 2026
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference High
CVE-2026-34769 was published for electron (npm) Apr 3, 2026
OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
CVE-2026-29608 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments High
CVE-2026-22168 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
GHSA-g87j-gm7p-6vw2 was published for openclaw (npm) Mar 19, 2026 withdrawn
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes High
CVE-2026-28470 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand High
CVE-2025-12613 was published for cloudinary (npm) Nov 10, 2025
blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API Moderate
CVE-2023-26143 was published for blamer (npm) Sep 19, 2023
lirantal Credited to lirantal
@conventional-changelog/git-client has Argument Injection vulnerability Moderate
CVE-2025-59433 was published for @conventional-changelog/git-client (npm) Sep 22, 2025
lirantal Credited to lirantal
ggit is vulnerable to Arbitrary Argument Injection via the clone() API Moderate
CVE-2024-21533 was published for ggit (npm) Oct 8, 2024
lirantal Credited to lirantal
Matrix IRC Bridge allows IRC command injection to own puppeted user Low
CVE-2025-27146 was published for matrix-appservice-irc (npm) Feb 25, 2025
funderscore1 Credited to funderscore1
git-shallow-clone Argument Injection vulnerability Moderate
CVE-2024-21531 was published for git-shallow-clone (npm) Oct 1, 2024
dsimk Credited to dsimk
Prototype Pollution in mixin-deep Critical
CVE-2019-10746 was published for mixin-deep (npm) Aug 27, 2019
Arbitrary Code Execution in mathjs Critical
CVE-2017-1001003 was published for mathjs (npm) Dec 18, 2017
Command injection in git-clone High
CVE-2022-25900 was published for git-clone (npm) Jul 2, 2022
lirantal Credited to lirantal
Command injection in simple-git High
CVE-2022-24066 was published for simple-git (npm) Apr 2, 2022
lirantal Credited to lirantal and rhelinko-telia rhelinko-telia rhelinko-telia
Remote command injection when using sendmail email transport Moderate
GHSA-wfrj-qqc2-83cm was published for ghost (npm) Sep 20, 2021
tdunlap607 Credited to tdunlap607
Command injection in nodemailer Critical
CVE-2020-7769 was published for nodemailer (npm) May 10, 2021
Null characters not escaped High
CVE-2021-21384 was published for shescape (npm) Mar 18, 2021
OS Command Injection in git-promise High
CVE-2022-24376 was published for git-promise (npm) Jun 11, 2022
lirantal Credited to lirantal
Command injection in git-interface Critical
CVE-2022-1440 was published for git-interface (npm) Apr 23, 2022
lirantal Credited to lirantal
mc-kill-port vulnerable to Arbitrary Command Execution via kill function High
CVE-2022-25973 was published for mc-kill-port (npm) Aug 11, 2022
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database