Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

442 advisories

Loading
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url Low
GHSA-rp72-5v5q-2446 was published for @cardano402/mcp-server (npm) Jun 26, 2026
MorganOnCode Credited to MorganOnCode
neotoma has tenant isolation gap in relationship query endpoints Low
GHSA-wrr4-782v-jhwh was published for neotoma (npm) Jun 25, 2026
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change Low
GHSA-97pr-9hgg-3p8r was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe Low
GHSA-h5jc-78hr-3pc9 was published for @sveltia/cms (npm) Jun 19, 2026
blacksolo1 Credited to blacksolo1
parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist Low
CVE-2026-55778 was published for parse-server (npm) Jun 19, 2026
mtrezza Credited to mtrezza
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist Low
CVE-2026-53724 was published for parse-server (npm) Jun 19, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
sondt99 Credited to sondt99
UlisesGascon Credited to UlisesGascon, KhafraDev, and mcollina KhafraDev KhafraDev
mcollina mcollina
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse Low
CVE-2026-6733 was published for undici (npm) Jun 19, 2026
mcollina Credited to mcollina and UlisesGascon UlisesGascon UlisesGascon
OpenClaw: Empty-scope device re-pairing could confuse caller scope containment Low
CVE-2026-53852 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers Low
CVE-2026-53860 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Skill-command dispatch could skip before-tool-call hooks Low
CVE-2026-53845 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Bootstrap token replay could widen pending pairing scopes Low
CVE-2026-53862 was published for openclaw (npm) Jun 18, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Exec allowlist could miss side effects from transparent command wrappers Low
CVE-2026-53848 was published for openclaw (npm) Jun 18, 2026
nayakchinmohan Credited to nayakchinmohan
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials Low
CVE-2026-54327 was published for @earendil-works/pi-coding-agent (npm) Jun 17, 2026
urianpaul94 Credited to urianpaul94
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass Low
CVE-2026-54326 was published for @earendil-works/pi-coding-agent (npm) Jun 16, 2026
urianpaul94 Credited to urianpaul94
Cross-site scripting via <NoScript> slot content in Nuxt's head components Low
GHSA-m3q2-p4fw-w38m was published for nuxt (npm) Jun 16, 2026
alcls01111 Credited to alcls01111
Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes Low
GHSA-h9h6-pwqv-j9hv was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers Low
GHSA-8hj2-w4c9-fjfq was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment Low
GHSA-hc4w-hm59-9w88 was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers Low
GHSA-wrr6-p5r6-474m was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks Low
GHSA-r7vv-6763-m739 was published for openclaw (npm) Jun 16, 2026 withdrawn
Duplicate Advisory: Exported session HTML could keep unsafe markdown links Low
GHSA-6xcg-6q43-rj2v was published for openclaw (npm) Jun 16, 2026 withdrawn
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API