Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

1,314 advisories

Loading
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints Critical
CVE-2026-53513 was published for @better-auth/sso (npm) Jul 7, 2026
vaadata-poyetont Credited to vaadata-poyetont
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins Critical
CVE-2026-53512 was published for better-auth (npm) Jul 7, 2026
subhanUmer Credited to subhanUmer
9router: Missing Authorization and OS Command Injection Critical
CVE-2026-59800 was published for 9router (npm) Jul 2, 2026
vcth4nh Credited to vcth4nh and Ductinn Ductinn Ductinn
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
Decompress: Archive extraction can create files and links outside of the target directory Critical
CVE-2026-53486 was published for @xhmikosr/decompress (npm) Jul 6, 2026
XhmikosR Credited to XhmikosR
OS Command Injection in install-package Critical
CVE-2020-7629 was published for install-package (npm) Feb 10, 2022
cookesan Credited to cookesan
OS Command Injection in git-add-remote Critical
CVE-2020-7630 was published for git-add-remote (npm) Feb 10, 2022
cookesan Credited to cookesan
OS Command Injection in node-key-sender Critical
CVE-2020-7627 was published for node-key-sender (npm) Feb 10, 2022
cookesan Credited to cookesan
Injection in op-browser Critical
CVE-2020-7625 was published for op-browser (npm) Feb 10, 2022
cookesan Credited to cookesan
karma-mojo enables OS Command Injection Critical
CVE-2020-7626 was published for karma-mojo (npm) Feb 10, 2022
cookesan Credited to cookesan
OS Command Injection in strong-nginx-controller Critical
CVE-2020-7621 was published for strong-nginx-controller (npm) Feb 10, 2022
cookesan Credited to cookesan
OS Command Injection in jscover Critical
CVE-2020-7623 was published for jscover (npm) Feb 10, 2022
cookesan Credited to cookesan
curlrequest allows execution of arbitrary commands Critical
CVE-2020-7646 was published for curlrequest (npm) May 13, 2020
cookesan Credited to cookesan
Command injection in get-git-data Critical
CVE-2020-7619 was published for get-git-data (npm) May 10, 2021
cookesan Credited to cookesan
@enclave-vm/core is vulnerable to Sandbox Escape Critical
CVE-2026-27597 was published for @enclave-vm/core (npm) Feb 25, 2026
c0rydoras Credited to c0rydoras, frontegg-david, and cookesan frontegg-david frontegg-david
cookesan cookesan
Electerm Local code through electerm's single-instance socket Critical
CVE-2026-45353 was published for electerm (npm) May 14, 2026
amwhoi Credited to amwhoi and cookesan cookesan cookesan
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass Critical
CVE-2026-49352 was published for 9router (npm) Jul 2, 2026
kaito7926 Credited to kaito7926
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy Critical
GHSA-w4v6-g3wm-w36c was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header Critical
CVE-2026-53943 was published for ghost (npm) Jul 1, 2026
Crypto-Cat Credited to Crypto-Cat
@acastellon/auth: Authentication bypass via spoofable headers in validateToken() Critical
CVE-2026-58399 was published for @acastellon/auth (npm) Jun 18, 2026
hackchang Credited to hackchang
deepstream is vulnerable to prototype pollution Critical
CVE-2026-49252 was published for @deepstream/server (npm) Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication Critical
CVE-2026-48797 was published for @mcptoolshop/backpropagate (npm) Jun 26, 2026
i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string Critical
CVE-2026-48713 was published for i18next-fs-backend (npm) Jun 25, 2026
codeswhite Credited to codeswhite
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names Critical
CVE-2026-48714 was published for i18next-http-middleware (npm) Jun 25, 2026
codeswhite Credited to codeswhite
ProTip! Advisories are also available from the GraphQL API