GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,383 advisories
Filter by severity
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Moderate
CVE-2026-49977
was published
for
tarteaucitronjs
(npm)
Jul 10, 2026
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Moderate
CVE-2026-5078
was published
for
morgan
(npm)
Jul 10, 2026
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
Moderate
CVE-2026-44646
was published
for
liquidjs
(npm)
May 27, 2026
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Moderate
CVE-2026-44645
was published
for
liquidjs
(npm)
May 27, 2026
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
Moderate
CVE-2026-44644
was published
for
liquidjs
(npm)
May 27, 2026
Potential XSS vulnerability in jQuery
Moderate
CVE-2020-11022
was published
for
athlon1600/youtube-downloader
(RubyGems)
Apr 29, 2020
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Moderate
GHSA-382c-vx95-w3p5
was published
for
@jsonbored/gittensory-mcp
(npm)
Jul 9, 2026
Claw Orchestrator has inefficient regular expression complexity via validateRegex()
Moderate
CVE-2026-10291
was published
for
@enderfga/claw-orchestrator
(npm)
Jun 2, 2026
Claw Orchestrator is missing authentication for the component API Endpoint
Moderate
CVE-2026-10281
was published
for
@enderfga/claw-orchestrator
(npm)
Jun 1, 2026
Waku: Cross-Origin CSRF on RSC Server Action Dispatch
Moderate
CVE-2026-49455
was published
for
waku
(npm)
Jul 8, 2026
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Moderate
CVE-2026-47200
was published
for
@nuxt/nitro-server
(npm)
May 29, 2026
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
Moderate
CVE-2026-45670
was published
for
@nuxt/rspack-builder
(npm)
May 19, 2026
Nuxt: Reflected XSS in `navigateTo()` external redirect
Moderate
CVE-2026-45669
was published
for
nuxt
(npm)
May 19, 2026
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators
Moderate
GHSA-p2fr-6hmx-4528
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
Moderate
CVE-2026-53509
was published
for
@aborruso/ckan-mcp-server
(npm)
Jul 7, 2026
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Moderate
GHSA-x4hg-hfwf-p9mw
was published
for
@asymmetric-effort/nogginlessdom
(npm)
Jul 2, 2026
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
Moderate
GHSA-gj2h-2fpw-fhv9
was published
for
@nuxt/ui
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString
Moderate
CVE-2026-50290
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate
GHSA-j5qp-p44g-2m49
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Moderate
GHSA-2944-57xv-2682
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate
GHSA-xw57-23p8-9wc5
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
Moderate
GHSA-qcr8-x557-7cp3
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection
Moderate
GHSA-5c7w-4wm3-85vw
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers
Moderate
CVE-2026-53818
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Mattermost slash token revocation could lag until monitor refresh
Moderate
GHSA-4m3v-q747-pc6h
was published
for
openclaw
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API