Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,648 advisories

Loading
AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake) High
GHSA-fq4x-789w-jg5h was published for @agenticmail/claudecode (npm) Jun 18, 2026
matte1782 Credited to matte1782
AgenticMail: Cross-agent task authorization bypass in AgenticMail API High
GHSA-hjwc-26pj-v3pm was published for @agenticmail/api (npm) Jun 18, 2026
YHalo-wyh Credited to YHalo-wyh
tonghuaroot Credited to tonghuaroot and UlisesGascon UlisesGascon UlisesGascon
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass High
CVE-2026-9675 was published for undici (npm) Jun 18, 2026
mauriceng98 Credited to mauriceng98, Str1ckl4nd, mcollina, and UlisesGascon Str1ckl4nd Str1ckl4nd
mcollina mcollina UlisesGascon UlisesGascon
npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining High
GHSA-5jv7-2mjm-h6qj was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentLoop onToolCall approval runs after tool execution High
GHSA-h2w2-v7j6-xqm4 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining High
GHSA-vjv9-7m7j-h833 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients High
GHSA-gqmf-56h7-rrpf was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
rexpository Credited to rexpository
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody` High
CVE-2026-55603 was published for http-proxy-middleware (npm) Jun 18, 2026
RamiAltai Credited to RamiAltai
piscina: Prototype Pollution Gadget → RCE via inherited options.filename High
CVE-2026-55388 was published for piscina (npm) Jun 18, 2026
ridingsa Credited to ridingsa
OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution High
CVE-2026-53842 was published for openclaw (npm) Jun 18, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Shell inline-command parsing could miss an allowlist check High
CVE-2026-53866 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Pairing-scoped device session could restore revoked node token authority High
CVE-2026-53843 was published for openclaw (npm) Jun 18, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
OpenClaw: Host environment sanitizer missed two Node.js control variables High
CVE-2026-53864 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Multer vulnerable to Denial of Service via deeply nested field names High
CVE-2026-5079 was published for multer (npm) Jun 17, 2026
tndud042713 Credited to tndud042713, UlisesGascon, and bjohansebas UlisesGascon UlisesGascon
bjohansebas bjohansebas
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin High
CVE-2026-53840 was published for openclaw (npm) Jun 17, 2026
YLChen-007 Credited to YLChen-007
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts High
CVE-2026-54328 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host High
CVE-2026-54304 was published for n8n (npm) Jun 16, 2026
34selen Credited to 34selen
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions High
CVE-2026-54309 was published for n8n (npm) Jun 16, 2026
ESPanda666 Credited to ESPanda666
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints High
CVE-2026-54305 was published for n8n (npm) Jun 16, 2026
Solidscripting Credited to Solidscripting and Har1sh-k Har1sh-k Har1sh-k
n8n: Credential Exfiltration via Permission Bypass High
CVE-2026-54307 was published for n8n (npm) Jun 16, 2026
momenashrafff Credited to momenashrafff
n8n: Stored XSS in Chat Trigger Node High
CVE-2026-54302 was published for n8n (npm) Jun 16, 2026
sm1ee Credited to sm1ee
n8n: Microsoft SQL Node Prototype Pollution High
CVE-2026-54312 was published for n8n (npm) Jun 16, 2026
s2ongmo Credited to s2ongmo
ProTip! Advisories are also available from the GraphQL API