Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,436
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,694
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,615 advisories

Loading
justhtml: Mutation XSS with custom foreign-namespace sanitization policies Low
GHSA-r758-8hxw-4845 was published for justhtml (pip) Apr 8, 2026
EmilStenstrom Credited to EmilStenstrom
Electron: Named window.open targets not scoped to the opener's browsing context Moderate
CVE-2026-34765 was published for electron (npm) Apr 7, 2026
HO-9 Credited to HO-9 and HanJeouk HanJeouk HanJeouk
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution Moderate
GHSA-rvqr-hrcc-j9vv was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths High
GHSA-48vw-m3qc-wr99 was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection High
GHSA-h5hg-h7rr-gpf3 was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. High
GHSA-wv46-v6xc-2qhf was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Moderate
GHSA-6336-qqw9-v6x6 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets Low
GHSA-fqrj-m88p-qf3v was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw Nostr privateKey config redaction bypass leaks plaintext signing key via config.get Moderate
GHSA-jjw7-3vjf-fg5j was published for openclaw (npm) Apr 2, 2026
ccreater222 Credited to ccreater222 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch Moderate
GHSA-4p4f-fc8q-84m3 was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass Critical
GHSA-2679-6mx9-h9xc was published for marimo (pip) Apr 8, 2026
q1uf3ng Credited to q1uf3ng
Plexus-Utils has a Directory Traversal vulnerability in its extractFile method High
CVE-2025-67030 was published for org.codehaus.plexus:plexus-utils (Maven) Mar 25, 2026
udengaardandersent-ELS Credited to udengaardandersent-ELS and timtebeek timtebeek timtebeek
AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints Moderate
CVE-2026-33766 was published for wwbn/avideo (Composer) Mar 26, 2026
kodareef5 Credited to kodareef5 and Marcono1234 Marcono1234 Marcono1234
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection Critical
CVE-2026-33478 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset and Marcono1234 Marcono1234 Marcono1234
Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers High
GHSA-2m67-wjpj-xhg9 was published for tools.jackson.core:jackson-core (Maven) Apr 4, 2026
anyzy2003 Credited to anyzy2003, Adrian-Hirt, and pjfanning Adrian-Hirt Adrian-Hirt
pjfanning pjfanning
Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser Moderate
CVE-2026-33349 was published for fast-xml-parser (npm) Mar 19, 2026
offset Credited to offset and tung2744 tung2744 tung2744
RAGAS has an Arbitrary File Read vulnerability High
CVE-2025-45691 was published for ragas (pip) Mar 5, 2026
adithyan-ak Credited to adithyan-ak
Keycloak logs sensitive headers Moderate
CVE-2025-11537 was published for org.keycloak:keycloak-quarkus-server (Maven) Feb 10, 2026
julianladisch Credited to julianladisch and eminaktas eminaktas eminaktas
PraisonAI Vulnerable to OS Command Injection Critical
GHSA-2763-cj5r-c79m was published for PraisonAI (pip) Apr 8, 2026
l3tchupkt Credited to l3tchupkt
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response Moderate
GHSA-68m9-983m-f3v5 was published for github.com/openfga/openfga (Go) Apr 8, 2026
bugbunny-research Credited to bugbunny-research
LangChain has incomplete f-string validation in prompt templates Moderate
GHSA-926x-3r5x-gfhw was published for langchain-core (pip) Apr 8, 2026
Pretext: Algorithmic Complexity (DoS) in the text analysis phase High
GHSA-5478-66c3-rhxr was published for @chenglou/pretext (npm) Apr 8, 2026
NapongiZero Credited to NapongiZero
parisneo/lollms has an insufficient session expiration vulnerability Moderate
CVE-2026-1163 was published for lollms (pip) Apr 8, 2026
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint Moderate
CVE-2025-59472 was published for next (npm) Jan 28, 2026
cylewaitforit Credited to cylewaitforit and jesvinjames jesvinjames jesvinjames
basic-ftp has FTP Command Injection via CRLF High
GHSA-chqc-8p9q-pq6q was published for basic-ftp (npm) Apr 8, 2026
zebbern Credited to zebbern
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database