Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
58
GitHub Actions
50
Go
3,799
Maven
5,000+
npm
5,000+
NuGet
938
pip
5,000+
Pub
13
RubyGems
1,059
Rust
1,351
Swift
54
Unreviewed advisories
All unreviewed
5,000+

190 advisories

Loading
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) Critical
CVE-2026-45091 was published for io.github.davidalmeidac:sealed-env-core (Maven) May 12, 2026
davidalmeidac Credited to davidalmeidac
Electerm's full process.env exposed to renderer via window.pre.env Moderate
CVE-2026-43942 was published for electerm (npm) May 8, 2026
osageling Credited to osageling
n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure High
GHSA-8g7g-hmwm-6rv2 was published for n8n-mcp (npm) May 8, 2026
cybercraftsolutionsllc Credited to cybercraftsolutionsllc
Vercel: Non-interactive mode includes CLI arguments in suggested command output Moderate
CVE-2026-44479 was published for vercel (npm) May 7, 2026
Flowise: Bcrypt Password Hash Exposure Moderate
CVE-2026-8026 was published for flowise (npm) May 6, 2026
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods High
CVE-2026-42047 was published for inngest (npm) May 5, 2026
benhylak Credited to benhylak
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs Moderate
GHSA-x3h8-jrgh-p8jx was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical
GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions) Apr 24, 2026
DanusMinimus Credited to DanusMinimus and EladMeged-Novee EladMeged-Novee EladMeged-Novee
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs High
CVE-2026-41278 was published for flowise (npm) Apr 17, 2026
DeathsPirate Credited to DeathsPirate
Flowise: Sensitive Data Leak in public-chatbotConfig High
CVE-2026-41266 was published for flowise (npm) Apr 16, 2026
DenizParlak Credited to DenizParlak
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions Moderate
CVE-2026-39857 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API Moderate
CVE-2026-33888 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
LangSmith SDK: Streaming token events bypass output redaction Moderate
CVE-2026-41182 was published for langsmith (npm) Apr 16, 2026
Ryu7zz Credited to Ryu7zz
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets Moderate
GHSA-r4q5-vmmm-2653 was published for follow-redirects (npm) Apr 14, 2026
Den-Sec Credited to Den-Sec
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel Moderate
CVE-2026-39412 was published for liquidjs (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// Moderate
CVE-2026-40045 was published for openclaw (npm) Apr 7, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients Moderate
CVE-2026-41339 was published for openclaw (npm) Apr 7, 2026
topsec-bunney Credited to topsec-bunney
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling Moderate
CVE-2026-39365 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, Ochk0, and bluwy Ochk0 Ochk0
bluwy bluwy
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket High
CVE-2026-39363 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, CodeAnt-AI-Security, tronglinh23, and bluwy CodeAnt-AI-Security CodeAnt-AI-Security
tronglinh23 tronglinh23 bluwy bluwy
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries High
CVE-2026-35442 was published for directus (npm) Apr 4, 2026
Directus: Sensitive fields exposed in revision history Moderate
CVE-2026-39943 was published for directus (npm) Apr 4, 2026
Directus: GraphQL Schema SDL Disclosure Setting Moderate
CVE-2026-35413 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research and odgrso odgrso odgrso
Signal K Server: Arbitrary Prototype Read via `from` Field Bypass Low
CVE-2026-35038 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability Moderate
CVE-2026-41335 was published for openclaw (npm) Apr 3, 2026
topsec-bunney Credited to topsec-bunney
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database