GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,296
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,116
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
24 advisories
Filter by severity
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
OpenClaw: Matrix allowFrom could bind to mutable display names
High
CVE-2026-53811
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Slack allowFrom could bind to mutable display names
High
GHSA-c29c-2q9c-pc86
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Control UI locality spoofing could mint a durable admin device token
High
CVE-2026-53817
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
High
GHSA-rggc-m335-3wvj
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Discord allowFrom could bind to mutable display names
High
CVE-2026-53849
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Zalo allowFrom could bind to mutable display names
High
CVE-2026-53857
was published
for
openclaw
(npm)
Jun 18, 2026
Duplicate Advisory: Zalo allowFrom could bind to mutable display names
High
GHSA-w7m7-3xcf-mp48
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Discord allowFrom could bind to mutable display names
High
GHSA-p44v-rx83-vjp4
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
GHSA-35vf-vw9f-q3cr
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
CVE-2026-44118
was published
for
openclaw
(npm)
May 4, 2026
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
High
CVE-2026-41299
was published
for
openclaw
(npm)
Mar 31, 2026
Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
High
GHSA-qwmf-95r9-gx9x
was published
for
openclaw
(npm)
Mar 21, 2026
•
withdrawn
h3 has a middleware bypass with one gadget
High
CVE-2026-33131
was published
for
h3
(npm)
Mar 18, 2026
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
High
CVE-2026-32014
was published
for
openclaw
(npm)
Mar 3, 2026
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
High
CVE-2026-27700
was published
for
hono
(npm)
Feb 25, 2026
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
High
CVE-2026-28465
was published
for
@clawdbot/voice-call
(npm)
Feb 17, 2026
Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling
High
CVE-2025-46573
was published
for
passport-wsfed-saml2
(npm)
May 6, 2025
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token
High
CVE-2017-16897
was published
for
passport-wsfed-saml2
(npm)
Jun 21, 2023
Parse Server option `masterKeyIps` vulnerability to IP spoofing
High
CVE-2023-22474
was published
for
parse-server
(npm)
Jan 31, 2023
Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding
High
CVE-2018-7160
was published
for
node-inspector
(npm)
May 13, 2022
•
withdrawn
Authentication Bypass by Spoofing in express-cart
High
CVE-2018-16483
was published
for
express-cart
(npm)
Feb 7, 2019
Duplicate advisory: High severity vulnerability that affects passport-wsfed-saml2
High
GHSA-7fpw-cfc4-3p2c
was published
for
passport-wsfed-saml2
(npm)
Dec 28, 2017
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API