Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,875 advisories

Loading
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits Moderate
CVE-2026-35441 was published for directus (npm) Apr 4, 2026
liyander Credited to liyander
Directus: Sensitive fields exposed in revision history Moderate
GHSA-mvv8-v4jj-g47j was published for directus (npm) Apr 4, 2026
Directus: GraphQL Schema SDL Disclosure Setting Moderate
CVE-2026-35413 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research and odgrso odgrso odgrso
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Directus: Open Redirect in Admin 2FA Setup Page Moderate
CVE-2026-35411 was published for directus (npm) Apr 4, 2026
ComfortablyCoding Credited to ComfortablyCoding, Akokonunes, and neo-ai-engineer Akokonunes Akokonunes
neo-ai-engineer neo-ai-engineer
Replicator deserializes untrusted user input Moderate
CVE-2026-2265 was published for replicator (npm) Apr 1, 2026
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler Moderate
CVE-2026-34217 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
chawdamrunal Credited to chawdamrunal
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser Moderate
CVE-2026-34211 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
offset Credited to offset
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow Moderate
CVE-2026-34083 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Signal K Server: Unauthenticated Source Priorities Manipulation Moderate
CVE-2026-33951 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses Moderate
GHSA-rm5c-4rmf-vvhw was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
n8n has XSS in Chat Trigger Node through Custom CSS Moderate
GHSA-3c7f-5hgj-h279 was published for n8n (npm) Mar 27, 2026
JorianWoltjer Credited to JorianWoltjer and ioaniftimesei ioaniftimesei ioaniftimesei
DOMPurify ADD_ATTR predicate skips URI validation Moderate
GHSA-cjmm-f4jc-qw8r was published for dompurify (npm) Apr 3, 2026
christos-eth Credited to christos-eth
DOMPurify USE_PROFILES prototype pollution allows event handlers Moderate
GHSA-cj63-jhhr-wcxv was published for dompurify (npm) Apr 3, 2026
christos-eth Credited to christos-eth
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Moderate
GHSA-6336-qqw9-v6x6 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials Moderate
GHSA-9f4w-67g7-mqwv was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled Moderate
GHSA-3xv9-89fm-7h4r was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Moderate
GHSA-rvvf-6vh3-9j43 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts Moderate
GHSA-f693-58pc-2gfr was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Discord voice manager bypasses channel-level member access allowlist Moderate
GHSA-cqgw-44wg-44rf was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders Moderate
GHSA-m6fx-m8hc-572m was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
GHSA-2w79-r9g8-wmcr was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting Moderate
GHSA-6p8r-6m93-557f was published for openclaw (npm) Apr 3, 2026
kexinoh Credited to kexinoh
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables Moderate
GHSA-cg7q-fg22-4g98 was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read Moderate
GHSA-58q2-7r52-jq62 was published for openclaw (npm) Apr 3, 2026
north-echo Credited to north-echo
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database