Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

200 advisories

Loading
OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface High
GHSA-cxmw-p77q-wchg was published for openclaw (npm) Mar 26, 2026
cyjhhh Credited to cyjhhh
Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text Moderate
GHSA-w6f4-3v35-qjhj was published for openclaw (npm) Mar 21, 2026 withdrawn
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters Critical
CVE-2026-31862 was published for @siteboon/claudecodeui (npm) Mar 11, 2026
toufik-airane Credited to toufik-airane and neo-ai-engineer neo-ai-engineer neo-ai-engineer
@budibase/server: Command Injection in PostgreSQL Dump Command High
CVE-2026-25041 was published for @budibase/server (npm) Mar 9, 2026
omkarparth Credited to omkarparth
OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux) High
CVE-2026-32063 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
MCP NMAP Server has an Injection vulnerability Moderate
CVE-2026-3484 was published for mcp-nmap-server (npm) Mar 3, 2026
OpenClaw: Unsanitized CWD path injection into LLM prompts High
CVE-2026-27001 was published for openclaw (npm) Feb 18, 2026
aether-ai-agent Credited to aether-ai-agent
xcode-mcp-server vulnerable to Command Injection Low
CVE-2026-2178 was published for xcode-mcp-server (npm) Feb 8, 2026
mcp-maigret vulnerable to command injection Moderate
CVE-2026-2130 was published for mcp-maigret (npm) Feb 8, 2026
BrowserStack Local vulnerable to Command Injection through logfile variable Moderate
CVE-2025-57283 was published for browserstack-local (npm) Jan 28, 2026
mgol Credited to mgol
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE Critical
GHSA-cr3w-cw5w-h3fj was published for @saltcorn/server (npm) Jan 26, 2026
Mathis-Z Credited to Mathis-Z
Orval Mock Generation Code Injection via const High
CVE-2026-24132 was published for @orval/mock (npm) Jan 22, 2026
k14uz Credited to k14uz
Orval has a code injection via unsanitized x-enum-descriptions in enum generation Critical
CVE-2026-23947 was published for @orval/core (npm) Jan 21, 2026
k14uz Credited to k14uz and ZipJo ZipJo ZipJo
Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file Moderate
GHSA-3f44-xw83-3pmg was published for renovate (npm) Jan 13, 2026
astellingwerf Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file Moderate
GHSA-xjr7-3c3g-m763 was published for renovate (npm) Jan 13, 2026
astellingwerf Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies Moderate
GHSA-36j9-mx87-2cff was published for renovate (npm) Jan 13, 2026
astellingwerf Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration Moderate
GHSA-fr4j-65pv-gjjj was published for renovate (npm) Jan 13, 2026
astellingwerf Credited to astellingwerf
Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository Moderate
GHSA-xv56-3wq5-9997 was published for renovate (npm) Jan 13, 2026
astellingwerf Credited to astellingwerf
orval MCP client is vulnerable to a code injection attack. Critical
CVE-2026-22785 was published for @orval/mcp (npm) Jan 13, 2026
nirhaas Credited to nirhaas
serverless MCP Server vulnerable to Command Injection in list-projects tool High
CVE-2025-69256 was published for serverless (npm) Dec 31, 2025
dellalibera Credited to dellalibera
mcp-server-kubernetes has potential security issue in exec_in_pod tool Moderate
CVE-2025-66404 was published for mcp-server-kubernetes (npm) Dec 3, 2025
lavenderlilly Credited to lavenderlilly
Claude Code Command Validation Bypass Allows Arbitrary Code Execution High
CVE-2025-66032 was published for @anthropic-ai/claude-code (npm) Dec 3, 2025
Ry0taK Credited to Ry0taK
willitmerge has a Command Injection vulnerability Moderate
CVE-2025-66219 was published for willitmerge (npm) Nov 26, 2025
lirantal Credited to lirantal
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages High
CVE-2025-34267 was published for flowise (npm) Oct 14, 2025
MCPHub's ServerController is vulnerable to Command Injection Low
CVE-2025-11285 was published for @samanhappy/mcphub (npm) Oct 5, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database