Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

28 advisories

Loading
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication High
CVE-2026-49357 was published for line-desktop-mcp (npm) Jun 26, 2026
AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake) High
GHSA-fq4x-789w-jg5h was published for @agenticmail/claudecode (npm) Jun 18, 2026
matte1782 Credited to matte1782
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions High
CVE-2026-54309 was published for n8n (npm) Jun 16, 2026
ESPanda666 Credited to ESPanda666
@agenticmail/mcp Missing Authentication for Critical Function High
CVE-2026-50287 was published for @agenticmail/mcp (npm) Jun 1, 2026
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools High
CVE-2026-44895 was published for @yoda.digital/gitlab-mcp-server (npm) May 9, 2026
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface High
GHSA-7hgr-7h44-33w2 was published for camofox-mcp (npm) May 19, 2026
232-323 Credited to 232-323 and 2REBCat 2REBCat 2REBCat
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise High
CVE-2026-41273 was published for flowise (npm) Apr 16, 2026
melonattacker Credited to melonattacker
gabiudrescu Credited to gabiudrescu
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode High
GHSA-xfqj-r5qw-8g4j was published for @paperclipai/server (npm) Apr 16, 2026
sagilayani Credited to sagilayani
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport High
GHSA-75hx-xj24-mqrw was published for n8n-mcp (npm) Apr 10, 2026
yotampe-pluto Credited to yotampe-pluto
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket High
CVE-2026-39363 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, CodeAnt-AI-Security, tronglinh23, and bluwy CodeAnt-AI-Security CodeAnt-AI-Security
tronglinh23 tronglinh23 bluwy bluwy
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure High
CVE-2026-32041 was published for openclaw (npm) Mar 2, 2026
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication High
GHSA-cxcw-jm67-3wwp was published for openclaw (npm) Mar 21, 2026 withdrawn
Dagu: SSE Authentication Bypass in Basic Auth Mode High
CVE-2026-31882 was published for dagu (npm) Mar 13, 2026
0xkakash1 Credited to 0xkakash1
Flowise Missing Authentication on NVIDIA NIM Endpoints High
CVE-2026-30824 was published for flowise (npm) Mar 6, 2026
tenbbughunters Credited to tenbbughunters
johnatzeropath Credited to johnatzeropath, LeftenantZero, and yueyueL LeftenantZero LeftenantZero
yueyueL yueyueL
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw has an authentication bypass in sandbox browser bridge server High
CVE-2026-28468 was published for openclaw (npm) Feb 18, 2026
jackhax Credited to jackhax
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests High
CVE-2026-26319 was published for openclaw (npm) Feb 17, 2026
p80n-sec Credited to p80n-sec
FUXA contains an Unrestricted File Upload vulnerability High
CVE-2025-69981 was published for fuxa-server (npm) Feb 3, 2026
FUXA contains an insecure default configuration vulnerability High
CVE-2025-69970 was published for fuxa-server (npm) Feb 3, 2026
OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply High
CVE-2026-25593 was published for openclaw (npm) Feb 4, 2026
hackerman70000 Credited to hackerman70000
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution High
CVE-2026-22812 was published for opencode-ai (npm) Jan 13, 2026
CyberShadow Credited to CyberShadow
Better Auth: Unauthenticated API key creation through api-key plugin High
CVE-2025-61928 was published for better-auth (npm) Oct 9, 2025
etiennelunetta Credited to etiennelunetta
ProTip! Advisories are also available from the GraphQL API