GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,040 advisories
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
Moderate
GHSA-m2m6-cff5-3w7c
was published
for
rwsdk
(npm)
Apr 24, 2026
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Moderate
CVE-2026-41305
was published
for
postcss
(npm)
Apr 24, 2026
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
Moderate
CVE-2026-41322
was published
for
@astrojs/node
(npm)
Apr 23, 2026
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
Moderate
CVE-2026-41495
was published
for
n8n-mcp
(npm)
Apr 23, 2026
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations
Moderate
GHSA-2cjr-5v3h-v2w4
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Moderate
GHSA-w5hq-g745-h8pq
was published
for
uuid
(npm)
Apr 22, 2026
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Moderate
CVE-2026-41650
was published
for
fast-xml-parser
(npm)
Apr 22, 2026
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Moderate
CVE-2026-41591
was published
for
@marko/runtime-tags
(npm)
Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Moderate
CVE-2026-41240
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Moderate
CVE-2026-41238
was published
for
dompurify
(npm)
Apr 22, 2026
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Moderate
GHSA-4p4f-fc8q-84m3
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message
Moderate
GHSA-6336-qqw9-v6x6
was published
for
openclaw
(npm)
Apr 3, 2026
Astro: XSS in define:vars via incomplete </script> tag sanitization
Moderate
CVE-2026-41067
was published
for
astro
(npm)
Apr 21, 2026
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders
Moderate
CVE-2026-41331
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
Moderate
CVE-2026-41330
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery
Moderate
CVE-2026-41302
was published
for
openclaw
(npm)
Apr 2, 2026
OpenClaw: Forged Nostr DMs could create pairing state before signature verification
Moderate
CVE-2026-41301
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Endpoint persists after trust decline, leaking gateway credentials
Moderate
CVE-2026-41300
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
Moderate
CVE-2026-41298
was published
for
openclaw
(npm)
Apr 7, 2026
ProTip!
Advisories are also available from the
GraphQL API