GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
215 advisories
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud
High
CVE-2026-41432
was published
for
github.com/QuantumNous/new-api
(Go)
Apr 24, 2026
Gitea has insecure default SSH settings
Moderate
GHSA-3m6q-h5gj-7mrw
was published
for
code.gitea.io/gitea
(Go)
Apr 22, 2026
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
High
GHSA-2r2p-4cgf-hv7h
was published
for
engramx
(npm)
Apr 22, 2026
OpenClaw: Feishu webhook and card-action validation now fail closed
Critical
GHSA-xh72-v6v9-mwhc
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser SSRF policy default allowed private-network navigation
Moderate
GHSA-53vx-pmqw-863c
was published
for
openclaw
(npm)
Apr 17, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Critical
GHSA-68qg-g8mg-6pr7
was published
for
@paperclipai/server
(npm)
Apr 10, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost
High
CVE-2026-34742
was published
for
github.com/modelcontextprotocol/go-sdk
(Go)
Apr 1, 2026
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection
High
CVE-2026-31975
was published
for
@siteboon/claude-code-ui
(npm)
Mar 11, 2026
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Critical
CVE-2026-26190
was published
for
github.com/milvus-io/milvus
(Go)
Feb 11, 2026
ProTip!
Advisories are also available from the
GraphQL API