Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,648 advisories

Loading
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests High
GHSA-v3f4-w7r7-v3hm was published for @zenalexa/unicli (npm) Jun 19, 2026
dodge1218 Credited to dodge1218
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read` High
GHSA-mrvx-jmjw-vggc was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab and useworld useworld useworld
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read` High
GHSA-xcqx-9jf5-w339 was published for mcp-searxng (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning High
GHSA-2fmp-9rvw-hc96 was published for network-ai (npm) Jun 19, 2026
sondt99 Credited to sondt99
kulesy Credited to kulesy, sondt99, and dungNHVhust sondt99 sondt99
dungNHVhust dungNHVhust
flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key High
CVE-2026-55091 was published for flat-to-nested (npm) Jun 19, 2026
moizxsec Credited to moizxsec
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument High
CVE-2026-55849 was published for @cyclonedx/cyclonedx-npm (npm) Jun 19, 2026
fortress07 Credited to fortress07 and jkowalleck jkowalleck jkowalleck
jupyterlab-git extension: Stored XSS leading to RCE High
CVE-2026-54527 was published for @jupyterlab/git (npm) Jun 19, 2026
krassowski Credited to krassowski and jtpio jtpio jtpio
parse-server: Denial of service via exponential-time processing of deeply nested query operators High
GHSA-cgxm-vr2f-6fj8 was published for parse-server (npm) Jun 19, 2026
sajdakabir Credited to sajdakabir and mtrezza mtrezza mtrezza
undici WebSocket client vulnerable to denial of service via fragment count bypass High
CVE-2026-12151 was published for undici (npm) Jun 19, 2026
lpinca Credited to lpinca, Nadav0077, and UlisesGascon Nadav0077 Nadav0077
UlisesGascon UlisesGascon
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse High
CVE-2026-6734 was published for undici (npm) Jun 19, 2026
ChALkeR Credited to ChALkeR, mcollina, and UlisesGascon mcollina mcollina
UlisesGascon UlisesGascon
OpenClaw: Workspace-derived service PATH could influence trash command selection High
CVE-2026-53865 was published for openclaw (npm) Jun 18, 2026
OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots High
CVE-2026-53858 was published for openclaw (npm) Jun 18, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Discord allowFrom could bind to mutable display names High
CVE-2026-53849 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install High
CVE-2026-53846 was published for openclaw (npm) Jun 18, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns High
CVE-2026-53853 was published for openclaw (npm) Jun 18, 2026
amwhoi Credited to amwhoi
OpenClaw: Zalo allowFrom could bind to mutable display names High
CVE-2026-53857 was published for openclaw (npm) Jun 18, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Shell positional parameters could weaken strict inline-eval checks High
CVE-2026-53855 was published for openclaw (npm) Jun 18, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions High
CVE-2026-44691 was published for @theia/debug (npm) Jun 18, 2026
[Eclipse Theia] Indirect Prompt Injection via Auto-Loaded Workspace Prompt Template Files in AI Chat High
CVE-2026-46580 was published for @theia/ai-chat (npm) Jun 18, 2026
[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat High
CVE-2026-44688 was published for @theia/ai-chat (npm) Jun 18, 2026
budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL High
GHSA-qqf5-x7mj-v43p was published for budibase (npm) Jun 18, 2026
mhr-isham Credited to mhr-isham
ProTip! Advisories are also available from the GraphQL API