GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
43 advisories
Filter by severity
Diffusers: TOCTOU Trust Remote Code Bypass
High
CVE-2026-45804
was published
for
diffusers
(pip)
May 20, 2026
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
OpenClaw: Combined POSIX shell options could confuse exec revalidation
High
CVE-2026-53806
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Node pairing reconnection could confuse approval scope state
High
GHSA-83w9-h5wv-j9xm
was published
for
openclaw
(npm)
Jul 2, 2026
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
High
CVE-2026-54353
was published
for
@budibase/backend-core
(npm)
Jun 22, 2026
Spring Cloud Config Server Susceptible To TOCTOU Attack
High
CVE-2026-41002
was published
for
org.springframework.cloud:spring-cloud-config-server
(Maven)
May 7, 2026
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding
High
GHSA-rjvw-7vvw-549v
was published
for
praisonai
(pip)
Jun 18, 2026
Docker: Race condition in docker cp allows bind mount redirection to host path
High
CVE-2026-42306
was published
for
github.com/docker/docker
(Go)
May 18, 2026
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path
High
CVE-2026-54096
was published
for
github.com/filebrowser/filebrowser
(Go)
Jun 12, 2026
Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators
High
GHSA-9wcp-79g5-5c3c
was published
for
com.appsmith:server
(Maven)
Jun 12, 2026
ONNX: TOCTOU arbitrary file read/write in save_external_dat
High
GHSA-q56x-g2fj-4rj6
was published
for
onnx
(pip)
Apr 1, 2026
Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token
High
CVE-2026-45720
was published
for
github.com/siderolabs/omni
(Go)
Jun 5, 2026
n8n-mcp webhook and API client paths has an authenticated SSRF
High
CVE-2026-44694
was published
for
n8n-mcp
(npm)
May 8, 2026
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition
High
CVE-2026-35352
was published
for
coreutils
(Rust)
Apr 22, 2026
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
High
CVE-2026-41272
was published
for
flowise
(npm)
Apr 16, 2026
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
High
CVE-2026-32979
was published
for
openclaw
(npm)
Mar 13, 2026
Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
High
GHSA-wmgj-hrx3-23gj
was published
for
openclaw
(npm)
Mar 29, 2026
•
withdrawn
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind
High
CVE-2026-28483
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
High
CVE-2026-31997
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
High
CVE-2026-27545
was published
for
openclaw
(npm)
Mar 2, 2026
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
High
CVE-2026-23950
was published
for
tar
(npm)
Jan 21, 2026
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit
High
GHSA-mj4p-rc52-m843
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary
High
GHSA-qcc4-p59m-p54m
was published
for
openclaw
(npm)
Mar 12, 2026
Sylius has a Promotion Usage Limit Bypass via Race Condition
High
CVE-2026-31824
was published
for
sylius/sylius
(Composer)
Mar 11, 2026
ProTip!
Advisories are also available from the
GraphQL API