Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,383 advisories

Loading
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies Moderate
CVE-2026-49977 was published for tarteaucitronjs (npm) Jul 10, 2026
Rudloff Credited to Rudloff
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user Moderate
CVE-2026-5078 was published for morgan (npm) Jul 10, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, UlisesGascon, and jonchurch UlisesGascon UlisesGascon
jonchurch jonchurch
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data Moderate
GHSA-382c-vx95-w3p5 was published for @jsonbored/gittensory-mcp (npm) Jul 9, 2026
homanp Credited to homanp
Waku: Cross-Origin CSRF on RSC Server Action Dispatch Moderate
CVE-2026-49455 was published for waku (npm) Jul 8, 2026
j0hndo Credited to j0hndo
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators Moderate
GHSA-p2fr-6hmx-4528 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
dvanmali Credited to dvanmali
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060) Moderate
CVE-2026-53509 was published for @aborruso/ckan-mcp-server (npm) Jul 7, 2026
hibrian827 Credited to hibrian827
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation Moderate
GHSA-x4hg-hfwf-p9mw was published for @asymmetric-effort/nogginlessdom (npm) Jul 2, 2026
nimonian Credited to nimonian
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString Moderate
CVE-2026-50290 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch Moderate
GHSA-j5qp-p44g-2m49 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction Moderate
GHSA-2944-57xv-2682 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range) Moderate
GHSA-xw57-23p8-9wc5 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state Moderate
GHSA-qcr8-x557-7cp3 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection Moderate
GHSA-5c7w-4wm3-85vw was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw: Mattermost slash token revocation could lag until monitor refresh Moderate
GHSA-4m3v-q747-pc6h was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers Moderate
CVE-2026-53818 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload Moderate
GHSA-275c-xpvc-jgfw was published for openclaw (npm) Jul 2, 2026
feynman-hou Credited to feynman-hou
OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts Moderate
GHSA-6c4r-g249-wv3c was published for openclaw (npm) Jul 2, 2026
anshumanbh Credited to anshumanbh
OpenClaw: Embedded runner policy could be confused by provider aliases Moderate
CVE-2026-53809 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks Moderate
GHSA-77pv-3w4q-vrj5 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Browser debug/export routes could reuse already-open blocked tabs Moderate
GHSA-hcm3-8f6r-6xwg was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
OpenClaw: message.action forwarding could send Gateway credentials to model-supplied loopback URLs Moderate
GHSA-grc3-2j34-p6gm was published for openclaw (npm) Jul 2, 2026
anshumanbh Credited to anshumanbh
OpenClaw: Mattermost handlers could fall open when channel type was missing Moderate
GHSA-gp79-m99v-gjmh was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Skill Workshop apply flow could override pending approval Moderate
GHSA-cqwv-9qjx-vxw2 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions Moderate
GHSA-wv26-j37q-2g7p was published for openclaw (npm) Jul 2, 2026
Kherrisan Credited to Kherrisan
ProTip! Advisories are also available from the GraphQL API