Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

293 advisories

Loading
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes Critical
CVE-2026-46339 was published for 9router (npm) May 19, 2026
sondt99 Credited to sondt99
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input Moderate
CVE-2026-42853 was published for @apostrophecms/cli (npm) May 14, 2026
VadlaReddySai Credited to VadlaReddySai and Chittu13 Chittu13 Chittu13
claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh High
CVE-2026-45136 was published for claude-code-cache-fix (npm) May 13, 2026
schuay Credited to schuay
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name High
CVE-2026-44724 was published for systeminformation (npm) May 13, 2026
thesmartshadow Credited to thesmartshadow
protobuf.js is Vulnerable to OS Command Injection in the CLI High
CVE-2026-42290 was published for protobufjs-cli (npm) May 12, 2026
0x5t4l1n Credited to 0x5t4l1n and dcodeIO dcodeIO dcodeIO
automagik-genie has a command injection vulnerability High
CVE-2026-30635 was published for automagik-genie (npm) May 11, 2026
WebdriverIO BrowserStack Service has a Command Injection issue Critical
CVE-2026-25244 was published for @wdio/browserstack-service (npm) May 11, 2026
hayageek Credited to hayageek
@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module Critical
GHSA-v6wj-c83f-v46x was published for @profullstack/mcp-server (npm) May 9, 2026
232-323 Credited to 232-323
Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor High
CVE-2026-43943 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js High
CVE-2025-63705 was published for node-ts-ocr (npm) May 7, 2026
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts High
GHSA-jxh8-jh77-xh6g was published for @evomap/evolver (npm) May 5, 2026
offset Credited to offset
LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution Moderate
CVE-2026-42045 was published for @lobehub/lobehub (npm) May 5, 2026
Hpd0ger Credited to Hpd0ger and aftern00n aftern00n aftern00n
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment High
CVE-2026-41900 was published for openlearnx (npm) Apr 23, 2026
krrazee Credited to krrazee, 0x5t4l1n, and harriiinnii 0x5t4l1n 0x5t4l1n
harriiinnii harriiinnii
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
CVE-2026-42076 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms Moderate
CVE-2026-42435 was published for openclaw (npm) Apr 17, 2026
Paperclip: OS Command Injection via Execution Workspace cleanupCommand Critical
GHSA-vr7g-88fq-vhq3 was published for @paperclipai/server (npm) Apr 16, 2026
YuvalElbar6 Credited to YuvalElbar6
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution High
CVE-2026-41208 was published for @paperclipai/server (npm) Apr 16, 2026
lilmingwa13 Credited to lilmingwa13
Flowise: Authenticated RCE Via MCP Adapters Critical
CVE-2026-40933 was published for flowise (npm) Apr 16, 2026
MosesOX Credited to MosesOX and 13ph03nix 13ph03nix 13ph03nix
SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh High
GHSA-p4h8-56qp-hpgv was published for @aiondadotcom/mcp-ssh (npm) Apr 14, 2026
simple-git Affected by Command Execution via Option-Parsing Bypass High
CVE-2026-28291 was published for simple-git (npm) Apr 13, 2026
JuHwiSang Credited to JuHwiSang and adnanrahim110 adnanrahim110 adnanrahim110
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant) Low
CVE-2026-41915 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
OpenClaw Host-Exec Environment Variable Injection Moderate
GHSA-w9j9-w4cp-6wgr was published for openclaw (npm) Apr 9, 2026
wsparks-vc Credited to wsparks-vc
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class) High
CVE-2026-42427 was published for openclaw (npm) Apr 9, 2026
boy-hack Credited to boy-hack
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database