Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,406
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,578 advisories

Loading
SandboxJS: Sandbox integrity escape Critical
CVE-2026-34208 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
fancymalware Credited to fancymalware
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow Moderate
CVE-2026-34083 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Signal K Server: Unauthenticated Source Priorities Manipulation Moderate
CVE-2026-33951 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity Critical
CVE-2026-33950 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist Critical
CVE-2026-31818 was published for @budibase/backend-core (npm) Apr 3, 2026
Moonster8282 Credited to Moonster8282
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
Signal K Server: Arbitrary Prototype Read via `from` Field Bypass Low
CVE-2026-35038 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
DOMPurify ADD_ATTR predicate skips URI validation Moderate
GHSA-cjmm-f4jc-qw8r was published for dompurify (npm) Apr 3, 2026
christos-eth Credited to christos-eth
DOMPurify USE_PROFILES prototype pollution allows event handlers Moderate
GHSA-cj63-jhhr-wcxv was published for dompurify (npm) Apr 3, 2026
christos-eth Credited to christos-eth
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache) Critical
GHSA-xg6x-h9c9-2m83 was published for better-auth (npm) Apr 3, 2026
TriDecent Credited to TriDecent
OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps Low
GHSA-x2m8-53h4-6hch was published for openclaw (npm) Apr 3, 2026
cyjhhh Credited to cyjhhh
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Moderate
GHSA-6336-qqw9-v6x6 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials Moderate
GHSA-9f4w-67g7-mqwv was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft
OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled Moderate
GHSA-3xv9-89fm-7h4r was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Moderate
GHSA-rvvf-6vh3-9j43 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration High
GHSA-q9w8-cf67-r238 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts Moderate
GHSA-f693-58pc-2gfr was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config Low
GHSA-3pm9-5j7m-59vc was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing High
GHSA-gg9v-mgcp-v6m7 was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection High
GHSA-h5hg-h7rr-gpf3 was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Discord voice manager bypasses channel-level member access allowlist Moderate
GHSA-cqgw-44wg-44rf was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders Moderate
GHSA-m6fx-m8hc-572m was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch High
GHSA-gjm7-hw8f-73rq was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
GHSA-9p3r-hh9g-5cmg was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062) Moderate
GHSA-2w79-r9g8-wmcr was published for openclaw (npm) Apr 3, 2026
Kazamayc Credited to Kazamayc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database