Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,595
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,823
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,209 advisories

Loading
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
GHSA-j5w5-568x-rq53 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
GHSA-v38x-c887-992f was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw: Feishu webhook and card-action validation now fail closed Critical
GHSA-xh72-v6v9-mwhc was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
Remote Code Execution (RCE) via String Literal Injection into math-codegen Critical
GHSA-p6x5-p4xf-cc4r was published for math-codegen (npm) Apr 17, 2026
hits3134 Credited to hits3134
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) Critical
GHSA-jp74-mfrx-3qvh was published for @saltcorn/server (npm) Apr 16, 2026
QiaoNPC Credited to QiaoNPC
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise Critical
GHSA-3xx2-mqjm-hg9x was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
Paperclip: OS Command Injection via Execution Workspace cleanupCommand Critical
GHSA-vr7g-88fq-vhq3 was published for @paperclipai/server (npm) Apr 16, 2026
YuvalElbar6 Credited to YuvalElbar6
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints Critical
GHSA-8783-3wgf-jggf was published for @budibase/backend-core (npm) Apr 16, 2026
AyushParkara Credited to AyushParkara
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes Critical
CVE-2026-6270 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, climba03003, and UlisesGascon climba03003 climba03003
UlisesGascon UlisesGascon
Flowise: Code Injection in CSVAgent leads to Authenticated RCE Critical
GHSA-9wc7-mj3f-74xv was published for flowise (npm) Apr 16, 2026
supriza Credited to supriza
Official Clerk JavaScript SDKs: Middleware-based route protection bypass Critical
GHSA-vqx2-fgx2-5wq9 was published for @clerk/astro (npm) Apr 16, 2026
YouGina Credited to YouGina
electerm: electerm_install_script_CommandInjection Vulnerability Report Critical
GHSA-wxw2-rwmh-vr8f was published for electerm (npm) Apr 16, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Flowise: Authenticated RCE Via MCP Adapters Critical
CVE-2026-40933 was published for flowise (npm) Apr 16, 2026
MosesOX Credited to MosesOX
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) Critical
CVE-2026-33808 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes Critical
CVE-2026-33807 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
Fastify's connection header abuse enables stripping of proxy-added headers Critical
CVE-2026-33805 was published for @fastify/http-proxy (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files Critical
CVE-2025-61260 was published for @openai/codex (npm) Apr 14, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass Critical
GHSA-68qg-g8mg-6pr7 was published for @paperclipai/server (npm) Apr 10, 2026
sagilayani Credited to sagilayani
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections Critical
CVE-2026-39397 was published for @delmaredigital/payload-puck (npm) Apr 8, 2026
Dag-Rui Credited to Dag-Rui
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step Critical
CVE-2026-35216 was published for @budibase/server (npm) Apr 4, 2026
da7om85 Credited to da7om85
SandboxJS: Sandbox integrity escape Critical
CVE-2026-34208 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
fancymalware Credited to fancymalware
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database