Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,241
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,511
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,722 advisories

Loading
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials Moderate
CVE-2026-33311 was published for @dicebear/core (npm) Mar 19, 2026
restriction Credited to restriction
Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution Moderate
GHSA-xrgv-34cc-q765 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
GHSA-g87j-gm7p-6vw2 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind Moderate
GHSA-q86m-697p-h7fh was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace Moderate
GHSA-2cwr-f5hx-gg3w was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Moderate
GHSA-5rp4-cwgh-gvwq was published for openclaw (npm) Mar 19, 2026 withdrawn
NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2026-30048 was published for @developer.notchatbot/webchat (npm) Mar 18, 2026
h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read Moderate
GHSA-wr4h-v87w-p3r7 was published for h3 (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
h3 has an observable timing discrepancy in basic auth utils Moderate
CVE-2026-33129 was published for h3 (npm) Mar 18, 2026
simonkoeck Credited to simonkoeck
Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas Moderate
GHSA-87v3-4cfp-cm76 was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas Moderate
GHSA-qq9g-96v4-m3cj was published for @pdfme/schemas (npm) Mar 18, 2026
deprrous Credited to deprrous
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks Moderate
CVE-2026-33060 was published for @aborruso/ckan-mcp-server (npm) Mar 18, 2026
abcgco Credited to abcgco
Parse Server affected by empty authData bypassing credential requirement on signup Moderate
CVE-2026-33042 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server LiveQuery subscription with invalid regular expression crashes server Moderate
CVE-2026-32770 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server session creation endpoint allows overwriting server-generated session fields Moderate
CVE-2026-32742 was published for parse-server (npm) Mar 17, 2026
mtrezza Credited to mtrezza
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy Moderate
CVE-2026-32878 was published for parse-server (npm) Mar 17, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Elysia Cookie Value Prototype Pollution Moderate
CVE-2026-31865 was published for elysia (npm) Mar 17, 2026
Next.js: HTTP request smuggling in rewrites Moderate
CVE-2026-29057 was published for next (npm) Mar 17, 2026
Next.js: Unbounded next/image disk cache growth can exhaust storage Moderate
CVE-2026-27980 was published for next (npm) Mar 17, 2026
Next.js: Unbounded postponed resume buffering can lead to DoS Moderate
CVE-2026-27979 was published for next (npm) Mar 17, 2026
Next.js: null origin can bypass Server Actions CSRF checks Moderate
CVE-2026-27978 was published for next (npm) Mar 17, 2026
OpenClaw session transcript files were created without forced user-only permissions Moderate
GHSA-vr7j-g7jv-h5mp was published for openclaw (npm) Mar 16, 2026
hsongkai11 Credited to hsongkai11
OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs Moderate
GHSA-xwcj-hwhf-h378 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers Moderate
CVE-2026-32723 was published for @nyariv/sandboxjs (npm) Mar 16, 2026
Zwique Credited to Zwique, Lumb3, Ved235, BlguunBN, Och1r1, and b34rn00b Lumb3 Lumb3
Ved235 Ved235 BlguunBN BlguunBN Och1r1 Och1r1 b34rn00b b34rn00b
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry Moderate
CVE-2026-32630 was published for file-type (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database