GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,314 advisories
Filter by severity
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Decompress: Archive extraction can create files and links outside of the target directory
Critical
CVE-2026-53486
was published
for
@xhmikosr/decompress
(npm)
Jul 6, 2026
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
Critical
CVE-2026-49352
was published
for
9router
(npm)
Jul 2, 2026
9router: Missing Authorization and OS Command Injection
Critical
CVE-2026-59800
was published
for
9router
(npm)
Jul 2, 2026
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy
Critical
GHSA-w4v6-g3wm-w36c
was published
for
openclaw
(npm)
Jul 2, 2026
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Critical
CVE-2026-53943
was published
for
ghost
(npm)
Jul 1, 2026
deepstream is vulnerable to prototype pollution
Critical
CVE-2026-49252
was published
for
@deepstream/server
(npm)
Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Critical
CVE-2026-48797
was published
for
@mcptoolshop/backpropagate
(npm)
Jun 26, 2026
i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string
Critical
CVE-2026-48713
was published
for
i18next-fs-backend
(npm)
Jun 25, 2026
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names
Critical
CVE-2026-48714
was published
for
i18next-http-middleware
(npm)
Jun 25, 2026
Budibase has nonymous NoSQL operator injection via published-app query templates
Critical
CVE-2026-54350
was published
for
@budibase/server
(npm)
Jun 23, 2026
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Critical
CVE-2026-54352
was published
for
@budibase/server
(npm)
Jun 22, 2026
scimPatch vulnerable to prototype pollution via unfiltered keys in patch
Critical
CVE-2026-48170
was published
for
scim-patch
(npm)
Jun 22, 2026
Network-AI: Improper Neutralization of Special Elements used in an OS Command
Critical
CVE-2026-54051
was published
for
network-ai
(npm)
Jun 19, 2026
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
Critical
CVE-2026-48814
was published
for
network-ai
(npm)
Jun 19, 2026
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
Critical
CVE-2026-0755
was published
for
gemini-mcp-tool
(npm)
Jun 18, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken()
Critical
CVE-2026-58399
was published
for
@acastellon/auth
(npm)
Jun 18, 2026
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
Critical
GHSA-j4f3-55x4-r6q2
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
Critical
GHSA-9752-mhqh-h34f
was published
for
praisonai
(npm)
Jun 18, 2026
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
Critical
GHSA-p69m-4f92-2v84
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI codeMode sandbox escape via Function constructor
Critical
GHSA-vmmj-pfw7-fjwp
was published
for
praisonai
(npm)
Jun 18, 2026
LobeHub: Unauthenticated SSRF in `/webapi/proxy`
Critical
CVE-2026-54157
was published
for
@lobehub/lobehub
(npm)
Jun 16, 2026
ProTip!
Advisories are also available from the
GraphQL API