GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
28 advisories
Filter by severity
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
High
CVE-2026-49357
was published
for
line-desktop-mcp
(npm)
Jun 26, 2026
AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)
High
GHSA-fq4x-789w-jg5h
was published
for
@agenticmail/claudecode
(npm)
Jun 18, 2026
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
High
CVE-2026-54309
was published
for
n8n
(npm)
Jun 16, 2026
@agenticmail/mcp Missing Authentication for Critical Function
High
CVE-2026-50287
was published
for
@agenticmail/mcp
(npm)
Jun 1, 2026
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
High
CVE-2026-44895
was published
for
@yoda.digital/gitlab-mcp-server
(npm)
May 9, 2026
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface
High
GHSA-7hgr-7h44-33w2
was published
for
camofox-mcp
(npm)
May 19, 2026
Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls
High
CVE-2026-42856
was published
for
network-ai
(npm)
May 5, 2026
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
High
CVE-2026-41273
was published
for
flowise
(npm)
Apr 16, 2026
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
High
GHSA-2r2p-4cgf-hv7h
was published
for
engramx
(npm)
Apr 22, 2026
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
High
GHSA-xfqj-r5qw-8g4j
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport
High
GHSA-75hx-xj24-mqrw
was published
for
n8n-mcp
(npm)
Apr 10, 2026
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
High
CVE-2026-39363
was published
for
vite
(npm)
Apr 6, 2026
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
High
CVE-2026-32041
was published
for
openclaw
(npm)
Mar 2, 2026
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication
High
GHSA-cxcw-jm67-3wwp
was published
for
openclaw
(npm)
Mar 21, 2026
•
withdrawn
Dagu: SSE Authentication Bypass in Basic Auth Mode
High
CVE-2026-31882
was published
for
dagu
(npm)
Mar 13, 2026
Flowise Missing Authentication on NVIDIA NIM Endpoints
High
CVE-2026-30824
was published
for
flowise
(npm)
Mar 6, 2026
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
High
CVE-2026-28458
was published
for
moltbot
(npm)
Feb 17, 2026
OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)
High
CVE-2026-29613
was published
for
openclaw
(npm)
Feb 17, 2026
OpenClaw has an authentication bypass in sandbox browser bridge server
High
CVE-2026-28468
was published
for
openclaw
(npm)
Feb 18, 2026
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
High
CVE-2026-26319
was published
for
openclaw
(npm)
Feb 17, 2026
FUXA contains an Unrestricted File Upload vulnerability
High
CVE-2025-69981
was published
for
fuxa-server
(npm)
Feb 3, 2026
FUXA contains an insecure default configuration vulnerability
High
CVE-2025-69970
was published
for
fuxa-server
(npm)
Feb 3, 2026
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply
High
CVE-2026-25593
was published
for
openclaw
(npm)
Feb 4, 2026
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
High
CVE-2026-22812
was published
for
opencode-ai
(npm)
Jan 13, 2026
Better Auth: Unauthenticated API key creation through api-key plugin
High
CVE-2025-61928
was published
for
better-auth
(npm)
Oct 9, 2025
ProTip!
Advisories are also available from the
GraphQL API