GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,316
Maven
5,000+
npm
5,000+
NuGet
1,030
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,493
Swift
61
Unreviewed advisories
All unreviewed
5,000+
54 advisories
Filter by severity
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
OpenClaw: Combined POSIX shell options could confuse exec revalidation
High
CVE-2026-53806
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Node pairing reconnection could confuse approval scope state
High
GHSA-83w9-h5wv-j9xm
was published
for
openclaw
(npm)
Jul 2, 2026
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
High
CVE-2026-54353
was published
for
@budibase/backend-core
(npm)
Jun 22, 2026
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Low
CVE-2026-6733
was published
for
undici
(npm)
Jun 19, 2026
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
Low
CVE-2026-54327
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
n8n-mcp webhook and API client paths has an authenticated SSRF
High
CVE-2026-44694
was published
for
n8n-mcp
(npm)
May 8, 2026
Duplicate Advisory: OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
Moderate
GHSA-6f72-9gxx-98mj
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
Moderate
GHSA-frr5-j3mh-h9ch
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
Moderate
GHSA-w7rc-vvgx-pj45
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
Moderate
CVE-2026-44113
was published
for
openclaw
(npm)
May 4, 2026
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
Moderate
CVE-2026-44112
was published
for
openclaw
(npm)
May 4, 2026
Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection
Moderate
GHSA-cw28-63x4-37c3
was published
for
openclaw
(npm)
Apr 24, 2026
•
withdrawn
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
High
CVE-2026-41272
was published
for
flowise
(npm)
Apr 16, 2026
OpenClaw: TOCTOU read in exec script preflight
Low
CVE-2026-43529
was published
for
openclaw
(npm)
Apr 16, 2026
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
Critical
CVE-2026-41296
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
Moderate
GHSA-rm5c-4rmf-vvhw
was published
for
openclaw
(npm)
Apr 3, 2026
Duplicate Advisory: OpenClaw: Sandbox `writeFile` commit could race outside the validated path
Moderate
GHSA-xxj4-96ph-g6j6
was published
for
openclaw
(npm)
Mar 31, 2026
•
withdrawn
Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution
Moderate
GHSA-wwrj-437c-ppq4
was published
for
openclaw
(npm)
Mar 31, 2026
•
withdrawn
Duplicate Advisory: OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path
Moderate
GHSA-6q2v-vfwp-pvwh
was published
for
openclaw
(npm)
Mar 29, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
High
GHSA-wmgj-hrx3-23gj
was published
for
openclaw
(npm)
Mar 29, 2026
•
withdrawn
Parse Server has an MFA single-use token bypass via concurrent authData login requests
Low
CVE-2026-34224
was published
for
parse-server
(npm)
Mar 29, 2026
Handlebars.js has a Property Access Validation Bypass in container.lookup
Low
GHSA-442j-39wm-28r2
was published
for
handlebars
(npm)
Mar 29, 2026
OpenClaw may have stale policy enforcement for queued node actions
Low
CVE-2026-35648
was published
for
openclaw
(npm)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API