Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,161 advisories

Loading
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect Critical
GHSA-fqw4-mph7-2vr8 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin Critical
GHSA-9hjh-fr4f-gxc4 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
Handlebars.js has JavaScript Injection via AST Type Confusion Critical
CVE-2026-33937 was published for handlebars (npm) Mar 27, 2026
RealHurrison Credited to RealHurrison
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve Critical
GHSA-hf68-49fm-59cq was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
Convict has Prototype Pollution via startsWith() function Critical
CVE-2026-33864 was published for convict (npm) Mar 26, 2026
kevgeoleo Credited to kevgeoleo, vdata1, reallyTG, fkiriakos07, toufali, and clouserw vdata1 vdata1
reallyTG reallyTG fkiriakos07 fkiriakos07 toufali toufali clouserw clouserw
Convict has prototype pollution via load(), loadFile(), and schema initialization Critical
CVE-2026-33863 was published for convict (npm) Mar 26, 2026
toufali Credited to toufali and clouserw clouserw clouserw
n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE Critical
CVE-2026-33696 was published for n8n (npm) Mar 26, 2026
simonkoeck Credited to simonkoeck
n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode Critical
CVE-2026-33660 was published for n8n (npm) Mar 25, 2026
duddnr0615k Credited to duddnr0615k, simonkoeck, c0rydoras, and nil340 simonkoeck simonkoeck
c0rydoras c0rydoras nil340 nil340
node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter Critical
CVE-2026-26832 was published for node-tesseract-ocr (npm) Mar 25, 2026
pdf-image has an OS Command Injection Vulnerability through its pdfFilePath parameter Critical
CVE-2026-26830 was published for pdf-image (npm) Mar 25, 2026
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
GHSA-x49q-fhhm-r9jf was published for openclaw (npm) Mar 20, 2026 withdrawn
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint Critical
GHSA-wvr4-3wq4-gpc5 was published for mcp-bridge (npm) Mar 19, 2026
riczardo Credited to riczardo
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction Critical
CVE-2026-32731 was published for @apostrophecms/import-export (npm) Mar 18, 2026
0xEr3n Credited to 0xEr3n
jsPDF has HTML Injection in New Window paths Critical
CVE-2026-31938 was published for jspdf (npm) Mar 17, 2026
sofianeelhor Credited to sofianeelhor and peaktwilight peaktwilight peaktwilight
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
CVE-2026-22172 was published for openclaw (npm) Mar 13, 2026
LUOYEcode Credited to LUOYEcode
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization Critical
CVE-2026-32621 was published for @apollo/federation-internals (npm) Mar 13, 2026
r3dbrothers Credited to r3dbrothers
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters Critical
CVE-2026-32306 was published for oneuptime (npm) Mar 13, 2026
offset Credited to offset
Locutus vulnerable to RCE via unsanitized input in create_function() Critical
CVE-2026-32304 was published for locutus (npm) Mar 13, 2026
ByamB4 Credited to ByamB4
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE Critical
GHSA-4jpw-hj22-2xmc was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
GHSA-xw77-45gv-p728 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
SandboxJS affected by a Sandbox Escape Critical
CVE-2026-26954 was published for @nyariv/sandboxjs (npm) Mar 13, 2026
c0rydoras Credited to c0rydoras
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS Critical
CVE-2026-28792 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
Parse Server: Account takeover via operator injection in authentication data identifier Critical
CVE-2026-32248 was published for parse-server (npm) Mar 12, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance Critical
CVE-2026-32242 was published for parse-server (npm) Mar 12, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL Critical
CVE-2026-31871 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database