Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,248
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,513
Pub
12
RubyGems
997
Rust
1,189
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,216 advisories

Loading
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR Moderate
CVE-2026-33397 was published for @angular/ssr (npm) Mar 19, 2026
VenkatKwest Credited to VenkatKwest, alan-agius4, securityMB, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
securityMB securityMB josephperrott josephperrott AndrewKushnir AndrewKushnir
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
restriction Credited to restriction
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix) Moderate
CVE-2026-33326 was published for @keystone-6/core (npm) Mar 19, 2026
n0wsh Credited to n0wsh
Parse Server email verification resend page leaks user existence Moderate
CVE-2026-33323 was published for parse-server (npm) Mar 19, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials Moderate
CVE-2026-33311 was published for @dicebear/core (npm) Mar 19, 2026
restriction Credited to restriction
Prototype Pollution via parse() in NodeJS flatted High
CVE-2026-33228 was published for flatted (npm) Mar 19, 2026
yohannslm Credited to yohannslm
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint Critical
GHSA-wvr4-3wq4-gpc5 was published for mcp-bridge (npm) Mar 19, 2026
riczardo Credited to riczardo
Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File High
CVE-2026-33068 was published for @anthropic-ai/claude-code (npm) Mar 19, 2026
Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution Moderate
GHSA-xrgv-34cc-q765 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind Moderate
GHSA-q86m-697p-h7fh was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution High
GHSA-pfv5-rpcw-x34x was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace Moderate
GHSA-2cwr-f5hx-gg3w was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
GHSA-g87j-gm7p-6vw2 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Moderate
GHSA-5rp4-cwgh-gvwq was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains Moderate
GHSA-5326-6f73-m96w was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing Moderate
GHSA-866c-wwm5-4rj7 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling Moderate
GHSA-5gqg-mqh5-2v39 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path Moderate
GHSA-8px5-2gfr-7ph6 was published for openclaw (npm) Mar 19, 2026 withdrawn
Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-ggm6-h3mx-cmmp was published for openclaw (npm) Mar 19, 2026 withdrawn
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview High
CVE-2026-33226 was published for budibase (npm) Mar 18, 2026
da7om85 Credited to da7om85
Parse Server leaks protected fields via LiveQuery afterEvent trigger High
CVE-2026-33163 was published for parse-server (npm) Mar 18, 2026
mtrezza Credited to mtrezza
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction Critical
CVE-2026-32731 was published for @apostrophecms/import-export (npm) Mar 18, 2026
0xEr3n Credited to 0xEr3n
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware High
CVE-2026-32730 was published for apostrophe (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2026-30048 was published for @developer.notchatbot/webchat (npm) Mar 18, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database