GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,282
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,105
Rust
1,490
Swift
61
Unreviewed advisories
All unreviewed
5,000+
128 advisories
Filter by severity
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Critical
CVE-2026-33808
was published
for
@fastify/express
(npm)
Apr 16, 2026
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Critical
CVE-2026-33807
was published
for
@fastify/express
(npm)
Apr 16, 2026
Multiple security fixes in justhtml
Low
GHSA-4p64-v8f5-r2gx
was published
for
justhtml
(pip)
Apr 14, 2026
Parse Server: File upload Content-Type override via extension mismatch
Low
CVE-2026-35200
was published
for
parse-server
(npm)
Apr 4, 2026
OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config
Low
CVE-2026-41388
was published
for
openclaw
(npm)
Apr 3, 2026
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Moderate
CVE-2026-32762
was published
for
rack
(RubyGems)
Apr 2, 2026
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
Moderate
CVE-2026-26961
was published
for
rack
(RubyGems)
Apr 2, 2026
Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
Moderate
GHSA-mxmg-3p7m-2ghr
was published
for
openclaw
(npm)
Mar 21, 2026
•
withdrawn
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
Moderate
GHSA-w6f4-3v35-qjhj
was published
for
openclaw
(npm)
Mar 21, 2026
•
withdrawn
Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk
High
GHSA-q382-vc8q-7jhj
was published
for
github.com/modelcontextprotocol/go-sdk
(Go)
Mar 19, 2026
astral-tokio-tar insufficiently validates PAX extensions during extraction
Moderate
CVE-2026-32766
was published
for
astral-tokio-tar
(Rust)
Mar 17, 2026
OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
High
CVE-2026-32971
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: system.run allow-always persistence included shell-commented payload tails
Moderate
GHSA-9q2p-vc84-2rwm
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
Low
CVE-2026-27183
was published
for
openclaw
(npm)
Mar 9, 2026
SEPPmail Secure Email Gateway before version 15.0.1 incorrectly interprets email addresses in the...
High
Unreviewed
CVE-2026-27444
was published
Mar 4, 2026
OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation
Moderate
GHSA-796m-2973-wc5q
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
Moderate
CVE-2026-32052
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: system.run approval identity mismatch could execute a different binary than displayed
Moderate
CVE-2026-32065
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists
Moderate
GHSA-392f-ggf5-fp3c
was published
for
openclaw
(npm)
Mar 2, 2026
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity
High
CVE-2026-27896
was published
for
github.com/modelcontextprotocol/go-sdk
(Go)
Feb 26, 2026
Fickling: OBJ opcode call invisibility bypasses all safety checks
High
GHSA-mxhj-88fx-4pcv
was published
for
fickling
(pip)
Feb 24, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.6.6, 18...
High
Unreviewed
CVE-2026-0958
was published
Feb 11, 2026
Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated...
Low
Unreviewed
CVE-2026-23686
was published
Feb 10, 2026
Fastify's Content-Type header tab character allows body validation bypass
High
CVE-2026-25223
was published
for
fastify
(npm)
Feb 2, 2026
Path Normalization Bypass in Traefik Router + Middleware Rules
Moderate
CVE-2025-66490
was published
for
github.com/traefik/traefik
(Go)
Dec 8, 2025
ProTip!
Advisories are also available from the
GraphQL API