Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,653
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,860
Pub
13
RubyGems
1,050
Rust
1,304
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,214 advisories

Loading
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
CVE-2026-42076 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
VM2 Sandbox Breakout Through __lookupGetter__ Critical
CVE-2026-24118 was published for vm2 (npm) May 4, 2026
XmiliaH Credited to XmiliaH
n8n has XML Node Prototype Pollution that to RCE Critical
CVE-2026-42232 was published for n8n (npm) Apr 29, 2026
simonkoeck Credited to simonkoeck
n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE Critical
CVE-2026-42231 was published for n8n (npm) Apr 29, 2026
a-tallat Credited to a-tallat
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides Critical
CVE-2026-41387 was published for openclaw (npm) Mar 31, 2026
tdjackey Credited to tdjackey
Remote Code Execution (RCE) via String Literal Injection into math-codegen Critical
CVE-2026-41507 was published for math-codegen (npm) Apr 17, 2026
hits3134 Credited to hits3134 and hits313 hits313 hits313
electerm: electerm_install_script_CommandInjection Vulnerability Report Critical
CVE-2026-41500 was published for electerm (npm) Apr 16, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) Critical
CVE-2026-41478 was published for @saltcorn/server (npm) Apr 16, 2026
QiaoNPC Credited to QiaoNPC
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints Critical
CVE-2026-41428 was published for @budibase/backend-core (npm) Apr 16, 2026
AyushParkara Credited to AyushParkara
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
CVE-2026-41679 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
Official Clerk JavaScript SDKs: Middleware-based route protection bypass Critical
CVE-2026-41248 was published for @clerk/astro (npm) Apr 16, 2026
YouGina Credited to YouGina
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) Critical
CVE-2025-66398 was published for signalk-server (npm) Jan 2, 2026
NoNoNGU Credited to NoNoNGU
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
CVE-2026-41296 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
thenify before 3.3.1 made use of unsafe calls to `eval`. Critical
CVE-2020-7677 was published for org.webjars.npm:thenify (Maven) Jul 18, 2022
Wenxin-Jiang Credited to Wenxin-Jiang
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
CVE-2026-41265 was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
electurm has Command Injection via runLinux funtion Critical
CVE-2026-41501 was published for electerm (npm) Apr 24, 2026
FORIMOC Credited to FORIMOC
Flowise: Code Injection in CSVAgent leads to Authenticated RCE Critical
CVE-2026-41137 was published for flowise (npm) Apr 16, 2026
supriza Credited to supriza
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Critical
CVE-2026-41329 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover Critical
CVE-2026-41294 was published for openclaw (npm) Apr 1, 2026
tdjackey Credited to tdjackey
OpenClaw: Feishu webhook and card-action validation now fail closed Critical
GHSA-xh72-v6v9-mwhc was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files Critical
CVE-2025-61260 was published for @openai/codex (npm) Apr 14, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database