GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,189 advisories
NocoDB: Shared-base link access can invite arbitrary users as persistent base members
Moderate
CVE-2026-46552
was published
for
nocodb
(npm)
May 21, 2026
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
Moderate
CVE-2026-46551
was published
for
nocodb
(npm)
May 21, 2026
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
Moderate
CVE-2026-46550
was published
for
nocodb
(npm)
May 21, 2026
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
Moderate
CVE-2026-46548
was published
for
nocodb
(npm)
May 21, 2026
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
Moderate
CVE-2026-46547
was published
for
nocodb
(npm)
May 21, 2026
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Moderate
CVE-2026-34043
was published
for
serialize-javascript
(npm)
Mar 27, 2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Moderate
CVE-2026-41907
was published
for
uuid
(npm)
Apr 22, 2026
@sveltejs/kit: `query.batch` cross-talk
Moderate
GHSA-hgv7-v322-mmgr
was published
for
@sveltejs/kit
(npm)
May 21, 2026
Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool
Moderate
CVE-2026-41686
was published
for
@anthropic-ai/sdk
(npm)
Apr 29, 2026
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
Moderate
GHSA-c2c9-mfw7-p8hw
was published
for
flowise
(npm)
May 20, 2026
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
Moderate
GHSA-59fh-9f3p-7m39
was published
for
flowise
(npm)
May 20, 2026
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
Moderate
GHSA-m837-xvxr-vqwg
was published
for
flowise
(npm)
May 20, 2026
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Moderate
CVE-2026-40175
was published
for
axios
(npm)
Apr 10, 2026
HAX CMS: Denial of Service using Malicious Import Request
Moderate
CVE-2026-46357
was published
for
@haxtheweb/haxcms-nodejs
(npm)
May 19, 2026
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
Moderate
CVE-2026-46341
was published
for
@apify/actors-mcp-server
(npm)
May 19, 2026
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
Moderate
CVE-2026-46424
was published
for
@budibase/backend-core
(npm)
May 19, 2026
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
Moderate
CVE-2026-45740
was published
for
protobufjs
(npm)
May 19, 2026
n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
Moderate
GHSA-3875-8gcx-7v46
was published
for
n8n
(npm)
May 19, 2026
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
Moderate
CVE-2026-45346
was published
for
open-webui
(npm)
May 14, 2026
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
Moderate
CVE-2026-45005
was published
for
openclaw
(npm)
May 5, 2026
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
Moderate
CVE-2026-45003
was published
for
openclaw
(npm)
May 4, 2026
OpenClaw: Hook mapping templates could bypass hook session-key opt-in
Moderate
CVE-2026-45002
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw's ACP child sessions inherit subagent security envelope constraints
Moderate
CVE-2026-44997
was published
for
openclaw
(npm)
May 4, 2026
ProTip!
Advisories are also available from the
GraphQL API