GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,042 advisories
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
Moderate
GHSA-m2m6-cff5-3w7c
was published
for
rwsdk
(npm)
Apr 24, 2026
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Moderate
CVE-2026-41305
was published
for
postcss
(npm)
Apr 24, 2026
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
Moderate
CVE-2026-41322
was published
for
@astrojs/node
(npm)
Apr 23, 2026
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
Moderate
CVE-2026-41495
was published
for
n8n-mcp
(npm)
Apr 23, 2026
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations
Moderate
GHSA-2cjr-5v3h-v2w4
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Moderate
GHSA-w5hq-g745-h8pq
was published
for
uuid
(npm)
Apr 22, 2026
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Moderate
CVE-2026-41650
was published
for
fast-xml-parser
(npm)
Apr 22, 2026
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Moderate
CVE-2026-41591
was published
for
@marko/runtime-tags
(npm)
Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Moderate
CVE-2026-41240
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Moderate
CVE-2026-41238
was published
for
dompurify
(npm)
Apr 22, 2026
Astro: XSS in define:vars via incomplete </script> tag sanitization
Moderate
CVE-2026-41067
was published
for
astro
(npm)
Apr 21, 2026
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths
Moderate
GHSA-f934-5rqf-xx47
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets
Moderate
GHSA-f7fh-qg34-x2xh
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure
Moderate
GHSA-jhpv-5j76-m56h
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
Moderate
GHSA-536q-mj95-h29h
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads
Moderate
GHSA-qmwg-qprg-3j38
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
Moderate
GHSA-527m-976r-jf79
was published
for
openclaw
(npm)
Apr 17, 2026
ProTip!
Advisories are also available from the
GraphQL API