Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,606
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,831
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,911 advisories

Loading
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs High
CVE-2026-41278 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) High
CVE-2026-41277 was published for flowise (npm) Apr 17, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing High
CVE-2026-40931 was published for compressing (npm) Apr 17, 2026
sachinpatilpsp Credited to sachinpatilpsp and IAMolofficial IAMolofficial IAMolofficial
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials Moderate
GHSA-92jp-89mq-4374 was published for openclaw (npm) Apr 17, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass) Moderate
GHSA-f3g8-9xv5-77gv was published for @saltcorn/server (npm) Apr 16, 2026
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) Critical
GHSA-jp74-mfrx-3qvh was published for @saltcorn/server (npm) Apr 16, 2026
QiaoNPC Credited to QiaoNPC
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise Critical
GHSA-3xx2-mqjm-hg9x was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization Moderate
GHSA-fpw4-p57j-hqmq was published for @paperclipai/ui (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server Moderate
GHSA-p7mm-r948-4q3q was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
Paperclip: OS Command Injection via Execution Workspace cleanupCommand Critical
GHSA-vr7g-88fq-vhq3 was published for @paperclipai/server (npm) Apr 16, 2026
YuvalElbar6 Credited to YuvalElbar6
Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email High
GHSA-gqqj-85qm-8qhf was published for paperclipai (npm) Apr 16, 2026
madrobotnet Credited to madrobotnet
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode High
GHSA-xfqj-r5qw-8g4j was published for @paperclipai/server (npm) Apr 16, 2026
sagilayani Credited to sagilayani
Paperclip: Malicious skills able to exfiltrate and destroy all user data High
GHSA-w8hx-hqjv-vjcq was published for @paperclipai/server (npm) Apr 16, 2026
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution High
CVE-2026-41208 was published for @paperclipai/server (npm) Apr 16, 2026
lilmingwa13 Credited to lilmingwa13
Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath Moderate
GHSA-3pw3-v88x-xj24 was published for @paperclipai/shared (npm) Apr 16, 2026
lilmingwa13 Credited to lilmingwa13
OAuth 2.1 Provider: Unprivileged users can register OAuth clients High
GHSA-xr8f-h2gw-9xh6 was published for @better-auth/oauth-provider (npm) Apr 16, 2026
chdanielmueller Credited to chdanielmueller
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints Critical
GHSA-8783-3wgf-jggf was published for @budibase/backend-core (npm) Apr 16, 2026
AyushParkara Credited to AyushParkara
Unsafe object property setter in mathjs High
CVE-2026-40897 was published for mathjs (npm) Apr 16, 2026
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server High
GHSA-45q2-gjvg-7973 was published for @angular/platform-server (npm) Apr 16, 2026
YLChen-007 Credited to YLChen-007, alan-agius4, AndrewKushnir, and josephperrott alan-agius4 alan-agius4
AndrewKushnir AndrewKushnir josephperrott josephperrott
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
@fastify/static vulnerable to path traversal in directory listing Moderate
CVE-2026-6410 was published for @fastify/static (npm) Apr 16, 2026
yuki-matsuhashi Credited to yuki-matsuhashi, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/static vulnerable to route guard bypass via encoded path separators Moderate
CVE-2026-6414 was published for @fastify/static (npm) Apr 16, 2026
blakeembrey Credited to blakeembrey, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes Critical
CVE-2026-6270 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, climba03003, and UlisesGascon climba03003 climba03003
UlisesGascon UlisesGascon
@fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option High
CVE-2026-33804 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, climba03003, and UlisesGascon mcollina mcollina
climba03003 climba03003 UlisesGascon UlisesGascon
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database