Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,384 advisories

Loading
DavidCarliez Credited to DavidCarliez
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies Moderate
CVE-2026-49977 was published for tarteaucitronjs (npm) Jul 10, 2026
Rudloff Credited to Rudloff
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user Moderate
CVE-2026-5078 was published for morgan (npm) Jul 10, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, UlisesGascon, and jonchurch UlisesGascon UlisesGascon
jonchurch jonchurch
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()` Moderate
CVE-2026-44646 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body Moderate
CVE-2026-44645 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS Moderate
CVE-2026-44644 was published for liquidjs (npm) May 27, 2026
offset Credited to offset and 0xEr3n 0xEr3n 0xEr3n
Potential XSS vulnerability in jQuery Moderate
CVE-2020-11022 was published for athlon1600/youtube-downloader (RubyGems) Apr 29, 2020
masatokinugawa Credited to masatokinugawa, Churro, Rudloff, sealonohana, and Athlon1600 Churro Churro
Rudloff Rudloff sealonohana sealonohana Athlon1600 Athlon1600
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data Moderate
GHSA-382c-vx95-w3p5 was published for @jsonbored/gittensory-mcp (npm) Jul 9, 2026
homanp Credited to homanp
Claw Orchestrator has inefficient regular expression complexity via validateRegex() Moderate
CVE-2026-10291 was published for @enderfga/claw-orchestrator (npm) Jun 2, 2026
Claw Orchestrator is missing authentication for the component API Endpoint Moderate
CVE-2026-10281 was published for @enderfga/claw-orchestrator (npm) Jun 1, 2026
Waku: Cross-Origin CSRF on RSC Server Action Dispatch Moderate
CVE-2026-49455 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*` Moderate
CVE-2026-47200 was published for @nuxt/nitro-server (npm) May 29, 2026
rmtsixq Credited to rmtsixq
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99) Moderate
CVE-2026-45670 was published for @nuxt/rspack-builder (npm) May 19, 2026
sapphi-red Credited to sapphi-red
Nuxt: Reflected XSS in `navigateTo()` external redirect Moderate
CVE-2026-45669 was published for nuxt (npm) May 19, 2026
Mr-In4inci3le Credited to Mr-In4inci3le
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators Moderate
GHSA-p2fr-6hmx-4528 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
dvanmali Credited to dvanmali
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060) Moderate
CVE-2026-53509 was published for @aborruso/ckan-mcp-server (npm) Jul 7, 2026
hibrian827 Credited to hibrian827
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation Moderate
GHSA-x4hg-hfwf-p9mw was published for @asymmetric-effort/nogginlessdom (npm) Jul 2, 2026
nimonian Credited to nimonian
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString Moderate
CVE-2026-50290 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch Moderate
GHSA-j5qp-p44g-2m49 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction Moderate
GHSA-2944-57xv-2682 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range) Moderate
GHSA-xw57-23p8-9wc5 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state Moderate
GHSA-qcr8-x557-7cp3 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection Moderate
GHSA-5c7w-4wm3-85vw was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers Moderate
CVE-2026-53818 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
ProTip! Advisories are also available from the GraphQL API