GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,266 advisories
VM2 Has Sandbox Breakout Through Inspect Function
Critical
CVE-2026-24781
was published
for
vm2
(npm)
May 5, 2026
VM2 Has Sandbox Breakout Through Promise Species
Critical
CVE-2026-24120
was published
for
vm2
(npm)
May 5, 2026
VM2 Sandbox Breakout Through __lookupGetter__
Critical
CVE-2026-24118
was published
for
vm2
(npm)
May 4, 2026
n8n has XML Node Prototype Pollution that to RCE
Critical
CVE-2026-42232
was published
for
n8n
(npm)
Apr 29, 2026
n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE
Critical
CVE-2026-42231
was published
for
n8n
(npm)
Apr 29, 2026
electerm has Command Injection via runLinux funtion
Critical
CVE-2026-41501
was published
for
electerm
(npm)
Apr 24, 2026
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses
Critical
GHSA-wpqr-6v78-jr5g
was published
for
@google/gemini-cli
(GitHub Actions)
Apr 24, 2026
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
Critical
CVE-2026-42076
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41264
was published
for
flowise
(npm)
Apr 21, 2026
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41265
was published
for
flowise
(npm)
Apr 18, 2026
OpenClaw: Feishu webhook and card-action validation now fail closed
Critical
CVE-2026-44109
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Gateway HTTP endpoints re-resolve bearer auth after SecretRef rotation
Critical
CVE-2026-43585
was published
for
openclaw
(npm)
Apr 17, 2026
Remote Code Execution (RCE) via String Literal Injection into math-codegen
Critical
CVE-2026-41507
was published
for
math-codegen
(npm)
Apr 17, 2026
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Critical
CVE-2026-41478
was published
for
@saltcorn/server
(npm)
Apr 16, 2026
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise
Critical
GHSA-3xx2-mqjm-hg9x
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys
Critical
GHSA-47wq-cj9q-wpmp
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: OS Command Injection via Execution Workspace cleanupCommand
Critical
GHSA-vr7g-88fq-vhq3
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
Critical
CVE-2026-41428
was published
for
@budibase/backend-core
(npm)
Apr 16, 2026
Arbitrary code execution in protobufjs
Critical
CVE-2026-41242
was published
for
protobufjs
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Critical
CVE-2026-6270
was published
for
@fastify/middie
(npm)
Apr 16, 2026
Flowise: Code Injection in CSVAgent leads to Authenticated RCE
Critical
CVE-2026-41137
was published
for
flowise
(npm)
Apr 16, 2026
Official Clerk JavaScript SDKs: Middleware-based route protection bypass
Critical
CVE-2026-41248
was published
for
@clerk/astro
(npm)
Apr 16, 2026
electerm: electerm_install_script_CommandInjection Vulnerability Report
Critical
CVE-2026-41500
was published
for
electerm
(npm)
Apr 16, 2026
Flowise: Authenticated RCE Via MCP Adapters
Critical
CVE-2026-40933
was published
for
flowise
(npm)
Apr 16, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API