Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

143 advisories

Loading
n8n-mcp webhook and API client paths has an authenticated SSRF High
CVE-2026-44694 was published for n8n-mcp (npm) May 8, 2026
fg0x0 Credited to fg0x0
Spring Cloud Config Server Susceptible To TOCTOU Attack High
CVE-2026-41002 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
scottfrederick Credited to scottfrederick
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes Moderate
CVE-2026-42592 was published for github.com/gotenberg/gotenberg/v8 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Duplicate Advisory: OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root Moderate
GHSA-6f72-9gxx-98mj was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
GHSA-frr5-j3mh-h9ch was published for openclaw (npm) May 6, 2026 withdrawn
Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding Moderate
GHSA-w7rc-vvgx-pj45 was published for openclaw (npm) May 6, 2026 withdrawn
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
CVE-2026-44113 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root Moderate
CVE-2026-44112 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection Moderate
GHSA-cw28-63x4-37c3 was published for openclaw (npm) Apr 24, 2026 withdrawn
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Moderate
CVE-2026-35376 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Moderate
CVE-2026-35374 was published for coreutils (Rust) Apr 22, 2026
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition Moderate
GHSA-m26v-hjq3-x245 was published for coreutils (Rust) Apr 22, 2026 withdrawn
Duplicate Advisory: uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition Moderate
GHSA-v24v-f45g-w7jf was published for coreutils (Rust) Apr 22, 2026 withdrawn
Duplicate Advisory: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Low
GHSA-vf87-345h-9qhx was published for coreutils (Rust) Apr 22, 2026 withdrawn
Duplicate Advisory: uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Low
GHSA-ggc5-46rg-mr4v was published for coreutils (Rust) Apr 22, 2026 withdrawn
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition Moderate
CVE-2026-35354 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Moderate
CVE-2026-35357 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Moderate
CVE-2026-35364 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition Moderate
CVE-2026-35360 was published for coreutils (Rust) Apr 22, 2026
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition High
CVE-2026-35352 was published for coreutils (Rust) Apr 22, 2026
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured Moderate
CVE-2026-22751 was published for org.springframework.security:spring-security-core (Maven) Apr 21, 2026
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Moderate
CVE-2026-3590 was published for github.com/mattermost/mattermost-server (Go) Apr 17, 2026
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
CVE-2026-41272 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
OpenClaw: TOCTOU read in exec script preflight Low
CVE-2026-43529 was published for openclaw (npm) Apr 16, 2026
kikayli Credited to kikayli
ProTip! Advisories are also available from the GraphQL API