GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
442 advisories
Filter by severity
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url
Low
GHSA-rp72-5v5q-2446
was published
for
@cardano402/mcp-server
(npm)
Jun 26, 2026
neotoma has tenant isolation gap in relationship query endpoints
Low
GHSA-wrr4-782v-jhwh
was published
for
neotoma
(npm)
Jun 25, 2026
parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change
Low
GHSA-97pr-9hgg-3p8r
was published
for
parse-server
(npm)
Jun 19, 2026
Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe
Low
GHSA-h5jc-78hr-3pc9
was published
for
@sveltia/cms
(npm)
Jun 19, 2026
parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist
Low
CVE-2026-55778
was published
for
parse-server
(npm)
Jun 19, 2026
parse-server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Low
CVE-2026-53724
was published
for
parse-server
(npm)
Jun 19, 2026
OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source
Low
GHSA-9wxg-vf3r-56hc
was published
for
@openzeppelin/wizard
(npm)
Jun 19, 2026
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Low
CVE-2026-11525
was published
for
undici
(npm)
Jun 19, 2026
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Low
CVE-2026-6733
was published
for
undici
(npm)
Jun 19, 2026
OpenClaw: Empty-scope device re-pairing could confuse caller scope containment
Low
CVE-2026-53852
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers
Low
CVE-2026-53860
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Skill-command dispatch could skip before-tool-call hooks
Low
CVE-2026-53845
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Bootstrap token replay could widen pending pairing scopes
Low
CVE-2026-53862
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Exec allowlist could miss side effects from transparent command wrappers
Low
CVE-2026-53848
was published
for
openclaw
(npm)
Jun 18, 2026
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
Low
CVE-2026-54327
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 17, 2026
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
Low
CVE-2026-54326
was published
for
@earendil-works/pi-coding-agent
(npm)
Jun 16, 2026
Cross-site scripting via <NoScript> slot content in Nuxt's head components
Low
GHSA-m3q2-p4fw-w38m
was published
for
nuxt
(npm)
Jun 16, 2026
Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes
Low
GHSA-h9h6-pwqv-j9hv
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers
Low
GHSA-8hj2-w4c9-fjfq
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment
Low
GHSA-hc4w-hm59-9w88
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers
Low
GHSA-wrr6-p5r6-474m
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks
Low
GHSA-r7vv-6763-m739
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Exported session HTML could keep unsafe markdown links
Low
GHSA-6xcg-6q43-rj2v
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`
Low
GHSA-rq7w-g337-39qq
was published
for
nuxt
(npm)
Jun 15, 2026
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output
Low
GHSA-vxr8-fq34-vvx9
was published
for
dompurify
(npm)
Jun 15, 2026
ProTip!
Advisories are also available from the
GraphQL API