Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

1,266 advisories

Loading
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes Critical
CVE-2026-33807 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Fastify's connection header abuse enables stripping of proxy-added headers Critical
CVE-2026-33805 was published for @fastify/http-proxy (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files Critical
CVE-2025-61260 was published for @openai/codex (npm) Apr 14, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
CVE-2026-41679 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections Critical
CVE-2026-39397 was published for @delmaredigital/payload-puck (npm) Apr 8, 2026
Dag-Rui Credited to Dag-Rui
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step Critical
CVE-2026-35216 was published for @budibase/server (npm) Apr 4, 2026
da7om85 Credited to da7om85
SandboxJS: Sandbox integrity escape Critical
CVE-2026-34208 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
fancymalware Credited to fancymalware
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity Critical
CVE-2026-33950 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist Critical
CVE-2026-31818 was published for @budibase/backend-core (npm) Apr 3, 2026
Moonster8282 Credited to Moonster8282
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache) Critical
GHSA-xg6x-h9c9-2m83 was published for better-auth (npm) Apr 3, 2026
TriDecent Credited to TriDecent
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
CVE-2026-41296 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Critical
CVE-2026-41329 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key Critical
CVE-2026-34950 was published for fast-jwt (npm) Apr 2, 2026
rtvkiz Credited to rtvkiz
Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions Critical
GHSA-3hfp-gqgh-xc5g was published for @lightdash/cli (npm) Apr 2, 2026
Axios npm Supply Chain Incident Impacting @usebruno/cli Critical
CVE-2026-34841 was published for @usebruno/cli (npm) Apr 2, 2026
Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery Critical
CVE-2026-34751 was published for @payloadcms/graphql (npm) Apr 1, 2026
wsk3r Credited to wsk3r
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover Critical
CVE-2026-41294 was published for openclaw (npm) Apr 1, 2026
tdjackey Credited to tdjackey
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation Critical
CVE-2026-33579 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
parse-server has cloud function validator bypass via prototype chain traversal Critical
CVE-2026-34532 was published for parse-server (npm) Mar 31, 2026
mtrezza Credited to mtrezza and bugbunny-research bugbunny-research bugbunny-research
Duplicate Advisory: OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
GHSA-phgf-3849-rgjq was published for openclaw (npm) Mar 31, 2026 withdrawn
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node Critical
CVE-2026-34156 was published for @nocobase/plugin-workflow-javascript (npm) Mar 30, 2026
onurcangnc Credited to onurcangnc
MikroORM is vulnerable to SQL Injection via specially crafted object Critical
CVE-2026-34220 was published for @mikro-orm/core (npm) Mar 29, 2026
lukas-eu Credited to lukas-eu
Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity Critical
GHSA-rwwx-25m7-ww73 was published for openclaw (npm) Mar 29, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database