Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,894
Maven
5,000+
npm
5,000+
NuGet
963
pip
5,000+
Pub
13
RubyGems
1,061
Rust
1,373
Swift
54
Unreviewed advisories
All unreviewed
5,000+

2,189 advisories

Loading
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data Moderate
CVE-2026-42039 was published for axios (npm) May 5, 2026
fg0x0 Credited to fg0x0
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 Moderate
CVE-2026-42034 was published for axios (npm) May 5, 2026
asadeddin Credited to asadeddin
Axios: HTTP adapter streamed responses bypass maxContentLength Moderate
CVE-2026-42036 was published for axios (npm) May 5, 2026
asadeddin Credited to asadeddin
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion Moderate
CVE-2026-42042 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy Moderate
CVE-2026-42041 was published for axios (npm) May 5, 2026
August829 Credited to August829
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver` Moderate
CVE-2026-42044 was published for axios (npm) May 5, 2026
August829 Credited to August829
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes Moderate
CVE-2026-44113 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root Moderate
CVE-2026-44112 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs Moderate
GHSA-x3h8-jrgh-p8jx was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts Moderate
CVE-2026-45003 was published for openclaw (npm) May 4, 2026
qi-scape Credited to qi-scape
OpenClaw's ACP child sessions inherit subagent security envelope constraints Moderate
CVE-2026-44997 was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw validates Zalo outbound photo URLs through the SSRF guard Moderate
CVE-2026-44116 was published for openclaw (npm) May 4, 2026
foodlook Credited to foodlook
sublinear-time-solver has a Path Traversal Issue Moderate
CVE-2026-7645 was published for sublinear-time-solver (npm) May 2, 2026
@diplodoc/search-extension allows stored XSS via Markdown file title Moderate
CVE-2026-40201 was published for @diplodoc/search-extension (npm) May 1, 2026
mcp-server-semgrep has a Command Injection issue Moderate
CVE-2026-7446 was published for mcp-server-semgrep (npm) Apr 30, 2026
Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool Moderate
CVE-2026-41686 was published for @anthropic-ai/sdk (npm) Apr 29, 2026
gn00295120 Credited to gn00295120
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Moderate
CVE-2026-44991 was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure Moderate
CVE-2026-42227 was published for n8n (npm) Apr 29, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
n8n Vulnerable to Hijacking of Unauthenticated Chat Execution Moderate
CVE-2026-42228 was published for n8n (npm) Apr 29, 2026
34selen Credited to 34selen, Aikido-Security, JorianWoltjer, reindaelman, and grumpinout1 Aikido-Security Aikido-Security
JorianWoltjer JorianWoltjer reindaelman reindaelman grumpinout1 grumpinout1
n8n has SQL Injection in SeaTable Node Moderate
CVE-2026-42229 was published for n8n (npm) Apr 29, 2026
sm1ee Credited to sm1ee
n8n has Open Redirect in MCP OAuth Consent Flow Moderate
CVE-2026-42230 was published for n8n (npm) Apr 29, 2026
ori-ron Credited to ori-ron
n8n has SQL Injection in Oracle Database Node via Limit Field Moderate
CVE-2026-42233 was published for n8n (npm) Apr 29, 2026
pawbednarz Credited to pawbednarz
n8n has SQL Injection in Snowflake and MySQL Nodes Moderate
CVE-2026-42237 was published for n8n (npm) Apr 29, 2026
offensiveee Credited to offensiveee
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database