GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
11,776 advisories
Filter by severity
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling
High
CVE-2026-49253
was published
for
electerm
(npm)
Jul 2, 2026
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields
High
CVE-2026-49250
was published
for
@conform-to/dom
(npm)
Jul 2, 2026
Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)
High
GHSA-vv65-f55v-xm6g
was published
for
@grackle-ai/powerline
(npm)
Jul 2, 2026
joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
High
CVE-2026-49852
was published
for
joserfc
(pip)
Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request
High
CVE-2026-50288
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
High
CVE-2026-50284
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap
High
CVE-2026-50279
was published
for
craftcms/cms
(Composer)
Jul 2, 2026
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
High
CVE-2026-44454
was published
for
github.com/coder/coder
(Go)
Jul 2, 2026
mediawiki/maps has stored XSS through the overlays parameter in the display_map parser function
High
CVE-2026-52854
was published
for
mediawiki/maps
(Composer)
Jul 2, 2026
Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload
High
CVE-2026-52726
was published
for
dulwich
(pip)
Jul 2, 2026
Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read
High
CVE-2026-50180
was published
for
langroid
(pip)
Jul 2, 2026
Langroid: Path traversal in the file tools allows read/write outside configured current directory
High
CVE-2026-50181
was published
for
langroid
(pip)
Jul 2, 2026
OpenClaw: Native command authorization could skip owner-command enforcement
High
GHSA-p73f-w79w-jqr5
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
High
GHSA-j472-gf56-x589
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Trusted retry endpoint checks could match hostname prefixes
High
GHSA-77q5-rr5v-x43q
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Telegram interactive callbacks could skip commands.allowFrom
High
GHSA-w5ww-7chg-mxcq
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Matrix allowFrom could bind to mutable display names
High
CVE-2026-53811
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance
High
CVE-2026-53816
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Combined POSIX shell options could confuse exec revalidation
High
CVE-2026-53806
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Fake package roots could influence memory-core artifact loading
High
CVE-2026-53813
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows
High
CVE-2026-53819
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes
High
GHSA-xr4f-mjxj-w6w5
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing
High
GHSA-qjpc-qf9m-xwmr
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Slack allowFrom could bind to mutable display names
High
GHSA-c29c-2q9c-pc86
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: QQBot streaming command could mutate config without explicit allowFrom
High
GHSA-jvm4-4j77-39p6
was published
for
openclaw
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API