GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
1,314 advisories
Filter by severity
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
Critical
CVE-2026-53513
was published
for
@better-auth/sso
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
Critical
CVE-2026-53512
was published
for
better-auth
(npm)
Jul 7, 2026
9router: Missing Authorization and OS Command Injection
Critical
CVE-2026-59800
was published
for
9router
(npm)
Jul 2, 2026
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Decompress: Archive extraction can create files and links outside of the target directory
Critical
CVE-2026-53486
was published
for
@xhmikosr/decompress
(npm)
Jul 6, 2026
OS Command Injection in install-package
Critical
CVE-2020-7629
was published
for
install-package
(npm)
Feb 10, 2022
OS Command Injection in git-add-remote
Critical
CVE-2020-7630
was published
for
git-add-remote
(npm)
Feb 10, 2022
OS Command Injection in node-key-sender
Critical
CVE-2020-7627
was published
for
node-key-sender
(npm)
Feb 10, 2022
karma-mojo enables OS Command Injection
Critical
CVE-2020-7626
was published
for
karma-mojo
(npm)
Feb 10, 2022
OS Command Injection in strong-nginx-controller
Critical
CVE-2020-7621
was published
for
strong-nginx-controller
(npm)
Feb 10, 2022
curlrequest allows execution of arbitrary commands
Critical
CVE-2020-7646
was published
for
curlrequest
(npm)
May 13, 2020
Command injection in get-git-data
Critical
CVE-2020-7619
was published
for
get-git-data
(npm)
May 10, 2021
@enclave-vm/core is vulnerable to Sandbox Escape
Critical
CVE-2026-27597
was published
for
@enclave-vm/core
(npm)
Feb 25, 2026
Electerm Local code through electerm's single-instance socket
Critical
CVE-2026-45353
was published
for
electerm
(npm)
May 14, 2026
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
Critical
CVE-2026-49352
was published
for
9router
(npm)
Jul 2, 2026
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy
Critical
GHSA-w4v6-g3wm-w36c
was published
for
openclaw
(npm)
Jul 2, 2026
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Critical
CVE-2026-53943
was published
for
ghost
(npm)
Jul 1, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken()
Critical
CVE-2026-58399
was published
for
@acastellon/auth
(npm)
Jun 18, 2026
deepstream is vulnerable to prototype pollution
Critical
CVE-2026-49252
was published
for
@deepstream/server
(npm)
Jun 26, 2026
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Critical
CVE-2026-48797
was published
for
@mcptoolshop/backpropagate
(npm)
Jun 26, 2026
i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string
Critical
CVE-2026-48713
was published
for
i18next-fs-backend
(npm)
Jun 25, 2026
i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names
Critical
CVE-2026-48714
was published
for
i18next-http-middleware
(npm)
Jun 25, 2026
ProTip!
Advisories are also available from the
GraphQL API