Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,599
Maven
5,000+
npm
5,000+
NuGet
924
pip
4,828
Pub
13
RubyGems
1,045
Rust
1,256
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,211 advisories

Loading
@vendure/core has a SQL Injection vulnerability Critical
CVE-2026-40887 was published for @vendure/core (npm) Apr 14, 2026
jacobfrantz1 Credited to jacobfrantz1
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile Critical
CVE-2026-41296 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
thenify before 3.3.1 made use of unsafe calls to `eval`. Critical
CVE-2020-7677 was published for org.webjars.npm:thenify (Maven) Jul 18, 2022
Wenxin-Jiang Credited to Wenxin-Jiang
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability Critical
CVE-2026-41265 was published for flowise (npm) Apr 18, 2026
zdi-disclosures Credited to zdi-disclosures
Arbitrary code execution in protobufjs Critical
CVE-2026-41242 was published for protobufjs (npm) Apr 16, 2026
cristianstaicu Credited to cristianstaicu, alexander-fenster, and sofisl alexander-fenster alexander-fenster
sofisl sofisl
electurm has Command Injection via runLinux funtion Critical
CVE-2026-41501 was published for electerm (npm) Apr 24, 2026
FORIMOC Credited to FORIMOC
Flowise: Code Injection in CSVAgent leads to Authenticated RCE Critical
CVE-2026-41137 was published for flowise (npm) Apr 16, 2026
supriza Credited to supriza
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution Critical
GHSA-j5w5-568x-rq53 was published for @evomap/evolver (npm) Apr 22, 2026
xeloxa Credited to xeloxa
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability Critical
CVE-2026-41264 was published for flowise (npm) Apr 21, 2026
zdi-disclosures Credited to zdi-disclosures
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Critical
CVE-2026-41329 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover Critical
CVE-2026-41294 was published for openclaw (npm) Apr 1, 2026
tdjackey Credited to tdjackey
Official Clerk JavaScript SDKs: Middleware-based route protection bypass Critical
GHSA-vqx2-fgx2-5wq9 was published for @clerk/astro (npm) Apr 16, 2026
YouGina Credited to YouGina
OpenClaw: Feishu webhook and card-action validation now fail closed Critical
GHSA-xh72-v6v9-mwhc was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
Remote Code Execution (RCE) via String Literal Injection into math-codegen Critical
GHSA-p6x5-p4xf-cc4r was published for math-codegen (npm) Apr 17, 2026
hits3134 Credited to hits3134
OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files Critical
CVE-2025-61260 was published for @openai/codex (npm) Apr 14, 2026
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) Critical
GHSA-jp74-mfrx-3qvh was published for @saltcorn/server (npm) Apr 16, 2026
QiaoNPC Credited to QiaoNPC
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise Critical
GHSA-3xx2-mqjm-hg9x was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys Critical
GHSA-47wq-cj9q-wpmp was published for @paperclipai/server (npm) Apr 16, 2026
peaktwilight Credited to peaktwilight
Paperclip: OS Command Injection via Execution Workspace cleanupCommand Critical
GHSA-vr7g-88fq-vhq3 was published for @paperclipai/server (npm) Apr 16, 2026
YuvalElbar6 Credited to YuvalElbar6
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints Critical
GHSA-8783-3wgf-jggf was published for @budibase/backend-core (npm) Apr 16, 2026
AyushParkara Credited to AyushParkara
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes Critical
CVE-2026-6270 was published for @fastify/middie (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, climba03003, and UlisesGascon climba03003 climba03003
UlisesGascon UlisesGascon
electerm: electerm_install_script_CommandInjection Vulnerability Report Critical
GHSA-wxw2-rwmh-vr8f was published for electerm (npm) Apr 16, 2026
Yuremin Credited to Yuremin and FORIMOC FORIMOC FORIMOC
Flowise: Authenticated RCE Via MCP Adapters Critical
CVE-2026-40933 was published for flowise (npm) Apr 16, 2026
MosesOX Credited to MosesOX
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) Critical
CVE-2026-33808 was published for @fastify/express (npm) Apr 16, 2026
FredKSchott Credited to FredKSchott, mcollina, UlisesGascon, and climba03003 mcollina mcollina
UlisesGascon UlisesGascon climba03003 climba03003
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database