Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,314 advisories

Loading
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
Decompress: Archive extraction can create files and links outside of the target directory Critical
CVE-2026-53486 was published for @xhmikosr/decompress (npm) Jul 6, 2026
XhmikosR Credited to XhmikosR
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass Critical
CVE-2026-49352 was published for 9router (npm) Jul 2, 2026
kaito7926 Credited to kaito7926
9router: Missing Authorization and OS Command Injection Critical
CVE-2026-59800 was published for 9router (npm) Jul 2, 2026
vcth4nh Credited to vcth4nh and Ductinn Ductinn Ductinn
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy Critical
GHSA-w4v6-g3wm-w36c was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header Critical
CVE-2026-53943 was published for ghost (npm) Jul 1, 2026
Crypto-Cat Credited to Crypto-Cat
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string Critical
CVE-2026-48713 was published for i18next-fs-backend (npm) Jun 25, 2026
codeswhite Credited to codeswhite
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names Critical
CVE-2026-48714 was published for i18next-http-middleware (npm) Jun 25, 2026
codeswhite Credited to codeswhite
Budibase has nonymous NoSQL operator injection via published-app query templates Critical
CVE-2026-54350 was published for @budibase/server (npm) Jun 23, 2026
kah-ja Credited to kah-ja
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload Critical
CVE-2026-54352 was published for @budibase/server (npm) Jun 22, 2026
kah-ja Credited to kah-ja
scimPatch vulnerable to prototype pollution via unfiltered keys in patch Critical
CVE-2026-48170 was published for scim-patch (npm) Jun 22, 2026
McHippy3 Credited to McHippy3 and leewang0 leewang0 leewang0
Network-AI: Improper Neutralization of Special Elements used in an OS Command Critical
CVE-2026-54051 was published for network-ai (npm) Jun 19, 2026
lexdotdev Credited to lexdotdev
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests Critical
CVE-2026-48814 was published for network-ai (npm) Jun 19, 2026
SnailSploit Credited to SnailSploit
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755) Critical
CVE-2026-0755 was published for gemini-mcp-tool (npm) Jun 18, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken() Critical
CVE-2026-58399 was published for @acastellon/auth (npm) Jun 18, 2026
hackchang Credited to hackchang
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call Critical
GHSA-j4f3-55x4-r6q2 was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation Critical
GHSA-9752-mhqh-h34f was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool Critical
GHSA-p69m-4f92-2v84 was published for praisonai (npm) Jun 18, 2026
sondt99 Credited to sondt99
npm PraisonAI codeMode sandbox escape via Function constructor Critical
GHSA-vmmj-pfw7-fjwp was published for praisonai (npm) Jun 18, 2026
rexpository Credited to rexpository
LobeHub: Unauthenticated SSRF in `/webapi/proxy` Critical
CVE-2026-54157 was published for @lobehub/lobehub (npm) Jun 16, 2026
0xj3st3r Credited to 0xj3st3r
ProTip! Advisories are also available from the GraphQL API