GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,383 advisories
Filter by severity
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
Moderate
CVE-2026-49977
was published
for
tarteaucitronjs
(npm)
Jul 10, 2026
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Moderate
CVE-2026-5078
was published
for
morgan
(npm)
Jul 10, 2026
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
Moderate
GHSA-382c-vx95-w3p5
was published
for
@jsonbored/gittensory-mcp
(npm)
Jul 9, 2026
Waku: Cross-Origin CSRF on RSC Server Action Dispatch
Moderate
CVE-2026-49455
was published
for
waku
(npm)
Jul 8, 2026
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators
Moderate
GHSA-p2fr-6hmx-4528
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
Moderate
CVE-2026-53509
was published
for
@aborruso/ckan-mcp-server
(npm)
Jul 7, 2026
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Moderate
GHSA-x4hg-hfwf-p9mw
was published
for
@asymmetric-effort/nogginlessdom
(npm)
Jul 2, 2026
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
Moderate
GHSA-gj2h-2fpw-fhv9
was published
for
@nuxt/ui
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString
Moderate
CVE-2026-50290
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate
GHSA-j5qp-p44g-2m49
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Moderate
GHSA-2944-57xv-2682
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate
GHSA-xw57-23p8-9wc5
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
Moderate
GHSA-qcr8-x557-7cp3
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection
Moderate
GHSA-5c7w-4wm3-85vw
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
OpenClaw: Mattermost slash token revocation could lag until monitor refresh
Moderate
GHSA-4m3v-q747-pc6h
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers
Moderate
CVE-2026-53818
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload
Moderate
GHSA-275c-xpvc-jgfw
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts
Moderate
GHSA-6c4r-g249-wv3c
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Embedded runner policy could be confused by provider aliases
Moderate
CVE-2026-53809
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks
Moderate
GHSA-77pv-3w4q-vrj5
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Browser debug/export routes could reuse already-open blocked tabs
Moderate
GHSA-hcm3-8f6r-6xwg
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: message.action forwarding could send Gateway credentials to model-supplied loopback URLs
Moderate
GHSA-grc3-2j34-p6gm
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Mattermost handlers could fall open when channel type was missing
Moderate
GHSA-gp79-m99v-gjmh
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Skill Workshop apply flow could override pending approval
Moderate
GHSA-cqwv-9qjx-vxw2
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions
Moderate
GHSA-wv26-j37q-2g7p
was published
for
openclaw
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API