Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,316 advisories

Loading
nuiifornet Credited to nuiifornet
n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments Critical
CVE-2026-54052 was published for n8n-mcp (npm) Jul 14, 2026
axsharma Credited to axsharma and 0xmagic0 0xmagic0 0xmagic0
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
Decompress: Archive extraction can create files and links outside of the target directory Critical
CVE-2026-53486 was published for @xhmikosr/decompress (npm) Jul 6, 2026
XhmikosR Credited to XhmikosR
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass Critical
CVE-2026-49352 was published for 9router (npm) Jul 2, 2026
kaito7926 Credited to kaito7926
9router: Missing Authorization and OS Command Injection Critical
CVE-2026-59800 was published for 9router (npm) Jul 2, 2026
vcth4nh Credited to vcth4nh and Ductinn Ductinn Ductinn
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy Critical
GHSA-w4v6-g3wm-w36c was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header Critical
CVE-2026-53943 was published for ghost (npm) Jul 1, 2026
Crypto-Cat Credited to Crypto-Cat
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string Critical
CVE-2026-48713 was published for i18next-fs-backend (npm) Jun 25, 2026
codeswhite Credited to codeswhite
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names Critical
CVE-2026-48714 was published for i18next-http-middleware (npm) Jun 25, 2026
codeswhite Credited to codeswhite
Budibase has nonymous NoSQL operator injection via published-app query templates Critical
CVE-2026-54350 was published for @budibase/server (npm) Jun 23, 2026
kah-ja Credited to kah-ja
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload Critical
CVE-2026-54352 was published for @budibase/server (npm) Jun 22, 2026
kah-ja Credited to kah-ja
scimPatch vulnerable to prototype pollution via unfiltered keys in patch Critical
CVE-2026-48170 was published for scim-patch (npm) Jun 22, 2026
McHippy3 Credited to McHippy3 and leewang0 leewang0 leewang0
Network-AI: Improper Neutralization of Special Elements used in an OS Command Critical
CVE-2026-54051 was published for network-ai (npm) Jun 19, 2026
lexdotdev Credited to lexdotdev
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests Critical
CVE-2026-48814 was published for network-ai (npm) Jun 19, 2026
SnailSploit Credited to SnailSploit
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755) Critical
CVE-2026-0755 was published for gemini-mcp-tool (npm) Jun 18, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken() Critical
CVE-2026-58399 was published for @acastellon/auth (npm) Jun 18, 2026
hackchang Credited to hackchang
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call Critical
GHSA-j4f3-55x4-r6q2 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation Critical
GHSA-9752-mhqh-h34f was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool Critical
GHSA-p69m-4f92-2v84 was published for praisonai (npm) Jun 18, 2026
sondt99 Credited to sondt99
ProTip! Advisories are also available from the GraphQL API