GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
53 advisories
Filter by severity
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
OpenClaw: Matrix allowFrom could bind to mutable display names
High
CVE-2026-53811
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Slack allowFrom could bind to mutable display names
High
GHSA-c29c-2q9c-pc86
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Control UI locality spoofing could mint a durable admin device token
High
CVE-2026-53817
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
High
GHSA-rggc-m335-3wvj
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Discord allowFrom could bind to mutable display names
High
CVE-2026-53849
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Zalo allowFrom could bind to mutable display names
High
CVE-2026-53857
was published
for
openclaw
(npm)
Jun 18, 2026
@acastellon/auth: Authentication bypass via spoofable headers in validateToken()
Critical
CVE-2026-58399
was published
for
@acastellon/auth
(npm)
Jun 18, 2026
Duplicate Advisory: Zalo allowFrom could bind to mutable display names
High
GHSA-w7m7-3xcf-mp48
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
Duplicate Advisory: Discord allowFrom could bind to mutable display names
High
GHSA-p44v-rx83-vjp4
was published
for
openclaw
(npm)
Jun 16, 2026
•
withdrawn
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
Moderate
CVE-2026-54308
was published
for
n8n
(npm)
Jun 16, 2026
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Critical
CVE-2026-48063
was published
for
@whiskeysockets/baileys
(npm)
Jun 10, 2026
NocoDB: Cross-Workspace Integration Use in Connection Test
Moderate
CVE-2026-47381
was published
for
nocodb
(npm)
Jun 5, 2026
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Critical
GHSA-wf8q-wvv8-p8jf
was published
for
@samanhappy/mcphub
(npm)
May 14, 2026
SillyTavern has Authentication Bypass via SSO Header Injection
Critical
CVE-2026-44649
was published
for
sillytavern
(npm)
May 12, 2026
Duplicate Advisory: OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
GHSA-35vf-vw9f-q3cr
was published
for
openclaw
(npm)
May 6, 2026
•
withdrawn
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
CVE-2026-44118
was published
for
openclaw
(npm)
May 4, 2026
Duplicate Advisory: OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
Moderate
GHSA-hgwr-wr8h-rxm7
was published
for
openclaw
(npm)
Apr 10, 2026
•
withdrawn
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
Moderate
CVE-2026-39411
was published
for
@lobehub/lobehub
(npm)
Apr 8, 2026
Electron: Service worker can spoof executeJavaScript IPC replies
Moderate
CVE-2026-34778
was published
for
electron
(npm)
Apr 3, 2026
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing
High
CVE-2026-41299
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
Moderate
CVE-2026-35656
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
Moderate
CVE-2026-35622
was published
for
openclaw
(npm)
Mar 26, 2026
Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
High
GHSA-qwmf-95r9-gx9x
was published
for
openclaw
(npm)
Mar 21, 2026
•
withdrawn
ProTip!
Advisories are also available from the
GraphQL API