Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

43 advisories

Loading
Diffusers: TOCTOU Trust Remote Code Bypass High
CVE-2026-45804 was published for diffusers (pip) May 20, 2026
zafido Credited to zafido and gal-zafran gal-zafran gal-zafran
chdanielmueller Credited to chdanielmueller
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
OpenClaw: Combined POSIX shell options could confuse exec revalidation High
CVE-2026-53806 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Node pairing reconnection could confuse approval scope state High
GHSA-83w9-h5wv-j9xm was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation High
CVE-2026-54353 was published for @budibase/backend-core (npm) Jun 22, 2026
Artex09 Credited to Artex09
Spring Cloud Config Server Susceptible To TOCTOU Attack High
CVE-2026-41002 was published for org.springframework.cloud:spring-cloud-config-server (Maven) May 7, 2026
scottfrederick Credited to scottfrederick
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding High
GHSA-rjvw-7vvw-549v was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Docker: Race condition in docker cp allows bind mount redirection to host path High
CVE-2026-42306 was published for github.com/docker/docker (Go) May 18, 2026
vvoland Credited to vvoland
File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path High
CVE-2026-54096 was published for github.com/filebrowser/filebrowser (Go) Jun 12, 2026
quart27219 Credited to quart27219, kimdu0, and hacdias kimdu0 kimdu0
hacdias hacdias
Appsmith Super User Creation Race Condition Allows Multiple Instance Administrators High
GHSA-9wcp-79g5-5c3c was published for com.appsmith:server (Maven) Jun 12, 2026
Moonster8282 Credited to Moonster8282
ONNX: TOCTOU arbitrary file read/write in save_external_dat High
GHSA-q56x-g2fj-4rj6 was published for onnx (pip) Apr 1, 2026
tsigouris007 Credited to tsigouris007 and kpatsakis kpatsakis kpatsakis
Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token High
CVE-2026-45720 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
n8n-mcp webhook and API client paths has an authenticated SSRF High
CVE-2026-44694 was published for n8n-mcp (npm) May 8, 2026
fg0x0 Credited to fg0x0
uutils coreutils has a Time-of-Check to Time-of-Use (TOCTOU) race condition High
CVE-2026-35352 was published for coreutils (Rust) Apr 22, 2026
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure) High
CVE-2026-41272 was published for flowise (npm) Apr 16, 2026
ESPanda666 Credited to ESPanda666 and JLLeitschuh JLLeitschuh JLLeitschuh
OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
CVE-2026-32979 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity High
GHSA-wmgj-hrx3-23gj was published for openclaw (npm) Mar 29, 2026 withdrawn
OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind High
CVE-2026-28483 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
tdjackey Credited to tdjackey
OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind High
CVE-2026-27545 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
tomasilluminati Credited to tomasilluminati, ssushant0011, and urielcos ssushant0011 ssushant0011
urielcos urielcos
OpenClaw: Sandbox staged writes could escape the verified parent directory before commit High
GHSA-mj4p-rc52-m843 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary High
GHSA-qcc4-p59m-p54m was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
Sylius has a Promotion Usage Limit Bypass via Race Condition High
CVE-2026-31824 was published for sylius/sylius (Composer) Mar 11, 2026
whiteov3rflow Credited to whiteov3rflow and bnBart bnBart bnBart
ProTip! Advisories are also available from the GraphQL API