Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,897 advisories

Loading
seroval affected by Denial of Service via RegExp serialization High
CVE-2026-23956 was published for seroval (npm) Jan 21, 2026
tweidinger Credited to tweidinger and lxsmnsyc lxsmnsyc lxsmnsyc
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion High
CVE-2026-34601 was published for @xmldom/xmldom (npm) Apr 1, 2026
thesmartshadow Credited to thesmartshadow and karfau karfau karfau
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing High
CVE-2026-40931 was published for compressing (npm) Apr 17, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses Moderate
CVE-2026-39409 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Moderate
CVE-2026-41330 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders Moderate
CVE-2026-41331 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Forged Nostr DMs could create pairing state before signature verification Moderate
CVE-2026-41301 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// Moderate
CVE-2026-40045 was published for openclaw (npm) Apr 7, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill Moderate
CVE-2026-41298 was published for openclaw (npm) Apr 7, 2026
EaEa0001 Credited to EaEa0001
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
CVE-2026-41296 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection Moderate
CVE-2026-41297 was published for openclaw (npm) Apr 7, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals High
CVE-2026-41303 was published for openclaw (npm) Mar 31, 2026
tdjackey Credited to tdjackey
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list() High
CVE-2026-41324 was published for basic-ftp (npm) Apr 16, 2026
MaanVader Credited to MaanVader
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
CVE-2026-41272 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise High
CVE-2026-41273 was published for flowise (npm) Apr 16, 2026
melonattacker Credited to melonattacker
Flowise: Password Reset Link Sent Over Unsecured HTTP High
CVE-2026-41275 was published for flowise (npm) Apr 16, 2026
charmedai Credited to charmedai
Flowise: resetPassword Authentication Bypass Vulnerability High
CVE-2026-41276 was published for flowise (npm) Apr 16, 2026
zdi-disclosures Credited to zdi-disclosures
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) High
CVE-2026-41277 was published for flowise (npm) Apr 17, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs High
CVE-2026-41278 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials High
CVE-2026-41279 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains High
CVE-2026-41271 was published for flowise (npm) Apr 16, 2026
wsparks-vc Credited to wsparks-vc
Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories Moderate
CVE-2026-34451 was published for @anthropic-ai/sdk (npm) Apr 1, 2026
OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard Moderate
CVE-2026-32019 was published for openclaw (npm) Mar 4, 2026
princeeismond-dot Credited to princeeismond-dot
OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels Moderate
CVE-2026-32035 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database