Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

449 advisories

Loading
Keystone: GraphQL API Endpoint Lacks Query Depth Limits Low
CVE-2026-10802 was published for @keystone-6/core (npm) Jun 4, 2026
Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__ Low
CVE-2026-54335 was published for @feathersjs/commons (npm) Jul 14, 2026
ridingsa Credited to ridingsa
DesktopCommanderMCP is vulnerable to SSRF Low
CVE-2026-10690 was published for @wonderwhy-er/desktop-commander (npm) Jun 3, 2026
DesktopCommanderMCP is vulnerable to Uncontrolled Resource Consumption Low
CVE-2026-10691 was published for @wonderwhy-er/desktop-commander (npm) Jun 3, 2026
Waku has an Open Redirect via `unstable_redirect` Helper Low
CVE-2026-49456 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning Low
CVE-2026-46342 was published for @nuxt/nitro-server (npm) May 19, 2026
fancymalware Credited to fancymalware
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows Low
GHSA-2vg6-77g8-24mp was published for @better-auth/scim (npm) Jul 7, 2026
iruizsalinas Credited to iruizsalinas
OpenClaw: Feishu dynamic-agent bindings could miss configWrites enforcement Low
GHSA-3wqp-prf6-2m72 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Blitz has a Cross-site Scripting issue Low
CVE-2026-9520 was published for blitz (npm) May 26, 2026
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, mattiasljungstrom, Wenxin-Jiang, and massif-01 KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom Wenxin-Jiang Wenxin-Jiang massif-01 massif-01
neotoma has tenant isolation gap in relationship query endpoints Low
GHSA-wrr4-782v-jhwh was published for neotoma (npm) Jun 25, 2026
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change Low
GHSA-97pr-9hgg-3p8r was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe Low
GHSA-h5jc-78hr-3pc9 was published for @sveltia/cms (npm) Jun 19, 2026
blacksolo1 Credited to blacksolo1
parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist Low
CVE-2026-55778 was published for parse-server (npm) Jun 19, 2026
mtrezza Credited to mtrezza
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist Low
CVE-2026-53724 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
sondt99 Credited to sondt99
UlisesGascon Credited to UlisesGascon, KhafraDev, and mcollina KhafraDev KhafraDev
mcollina mcollina
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse Low
CVE-2026-6733 was published for undici (npm) Jun 19, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
OpenClaw: Empty-scope device re-pairing could confuse caller scope containment Low
CVE-2026-53852 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment Low
GHSA-hc4w-hm59-9w88 was published for openclaw (npm) Jun 16, 2026 withdrawn
OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers Low
CVE-2026-53860 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers Low
GHSA-8hj2-w4c9-fjfq was published for openclaw (npm) Jun 16, 2026 withdrawn
OpenClaw: Skill-command dispatch could skip before-tool-call hooks Low
CVE-2026-53845 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks Low
GHSA-r7vv-6763-m739 was published for openclaw (npm) Jun 16, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API