Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

18 advisories

Loading
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where... Critical Unreviewed
CVE-2026-43578 was published May 6, 2026
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation... Critical Unreviewed
CVE-2026-34415 was published Apr 22, 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
CVE-2026-41265 was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf Critical
CVE-2026-34177 was published for github.com/canonical/lxd (Go) Apr 10, 2026
mpurg Credited to mpurg
SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) Critical
CVE-2026-32940 was published for github.com/siyuan-note/siyuan (Go) Mar 17, 2026
vnykmshr Credited to vnykmshr
PickleScan has multiple stdlib modules with direct RCE not in blocklist Critical
GHSA-g38g-8gr9-h9xp was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
PickleScan's profile.run blocklist mismatch allows exec() bypass Critical
GHSA-7wx9-6375-f5wh was published for picklescan (pip) Mar 3, 2026
yash2998chhabria Credited to yash2998chhabria
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode Critical
CVE-2026-28363 was published for openclaw (npm) Feb 27, 2026
ServiceNow has addressed an input validation vulnerability that was identified in the Washington... Critical Unreviewed
CVE-2024-5217 was published Jul 10, 2024
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code Critical
CVE-2023-45133 was published for @babel/traverse (npm) Oct 16, 2023
SteakEnthusiast Credited to SteakEnthusiast, ashdude1401, nicolo-ribaudo, Apetree100122, and ebickle ashdude1401 ashdude1401
nicolo-ribaudo nicolo-ribaudo Apetree100122 Apetree100122 ebickle ebickle
Incomplete List of Disallowed Inputs vulnerability in Bookreen allows Privilege Escalation.This... Critical Unreviewed
CVE-2023-3374 was published Sep 5, 2023
Agent-to-controller access control allows reading/writing most content of build directories in Jenkins Critical
CVE-2021-21697 was published for org.jenkins-ci.main:jenkins-core (Maven) May 24, 2022
NotMyFault Credited to NotMyFault
Incomplete List of Disallowed Inputs in SOFA-Hessian Critical
CVE-2019-9212 was published for com.alipay.sofa:hessian (Maven) Mar 6, 2019
jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution Critical
CVE-2017-15095 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Oct 18, 2018
sunSUNQ Credited to sunSUNQ
FasterXML jackson-databind allows unauthenticated remote code execution Critical
CVE-2018-7489 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Oct 16, 2018
sunSUNQ Credited to sunSUNQ
jackson-databind is vulnerable to a deserialization flaw Critical
CVE-2017-7525 was published for com.fasterxml.jackson.core:jackson-databind (Maven) Oct 16, 2018
sunSUNQ Credited to sunSUNQ
Safemode Gem Has Incomplete List of Disallowed Inputs Critical
CVE-2017-7540 was published for safemode (RubyGems) Oct 24, 2017
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database