GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,648 advisories
Filter by severity
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
High
GHSA-v3f4-w7r7-v3hm
was published
for
@zenalexa/unicli
(npm)
Jun 19, 2026
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`
High
GHSA-mrvx-jmjw-vggc
was published
for
mcp-searxng
(npm)
Jun 19, 2026
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`
High
GHSA-xcqx-9jf5-w339
was published
for
mcp-searxng
(npm)
Jun 19, 2026
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning
High
GHSA-2fmp-9rvw-hc96
was published
for
network-ai
(npm)
Jun 19, 2026
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
High
CVE-2026-55660
was published
for
@tinacms/app
(npm)
Jun 19, 2026
@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels
High
CVE-2026-54074
was published
for
@tinacms/cli
(npm)
Jun 19, 2026
flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key
High
CVE-2026-55091
was published
for
flat-to-nested
(npm)
Jun 19, 2026
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument
High
CVE-2026-55849
was published
for
@cyclonedx/cyclonedx-npm
(npm)
Jun 19, 2026
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
High
GHSA-v52w-28xh-v562
was published
for
@kozou/api
(npm)
Jun 19, 2026
jupyterlab-git extension: Stored XSS leading to RCE
High
CVE-2026-54527
was published
for
@jupyterlab/git
(npm)
Jun 19, 2026
Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
High
GHSA-vcv2-r9jh-99m5
was published
for
agentic-flow
(npm)
Jun 19, 2026
parse-server: Denial of service via exponential-time processing of deeply nested query operators
High
GHSA-cgxm-vr2f-6fj8
was published
for
parse-server
(npm)
Jun 19, 2026
undici WebSocket client vulnerable to denial of service via fragment count bypass
High
CVE-2026-12151
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
High
CVE-2026-6734
was published
for
undici
(npm)
Jun 19, 2026
OpenClaw: Workspace-derived service PATH could influence trash command selection
High
CVE-2026-53865
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots
High
CVE-2026-53858
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Discord allowFrom could bind to mutable display names
High
CVE-2026-53849
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install
High
CVE-2026-53846
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns
High
CVE-2026-53853
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Zalo allowFrom could bind to mutable display names
High
CVE-2026-53857
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
High
CVE-2026-53855
was published
for
openclaw
(npm)
Jun 18, 2026
[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions
High
CVE-2026-44691
was published
for
@theia/debug
(npm)
Jun 18, 2026
[Eclipse Theia] Indirect Prompt Injection via Auto-Loaded Workspace Prompt Template Files in AI Chat
High
CVE-2026-46580
was published
for
@theia/ai-chat
(npm)
Jun 18, 2026
[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat
High
CVE-2026-44688
was published
for
@theia/ai-chat
(npm)
Jun 18, 2026
budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL
High
GHSA-qqf5-x7mj-v43p
was published
for
budibase
(npm)
Jun 18, 2026
ProTip!
Advisories are also available from the
GraphQL API