Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,323
Maven
5,000+
npm
5,000+
NuGet
880
pip
4,533
Pub
12
RubyGems
1,010
Rust
1,201
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,823 advisories

Loading
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection Moderate
CVE-2026-27568 was published for wwbn/avideo (Composer) Feb 20, 2026
arkmarta Credited to arkmarta
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused Moderate
CVE-2026-27492 was published for lettermint (npm) Feb 20, 2026
Traefik affected by TLS ClientAuth Bypass on HTTP/3 High
GHSA-gv8r-9rw9-9697 was published for github.com/traefik/traefik (Go) Feb 20, 2026
rbqvq Credited to rbqvq
OpenClaw hardened cron webhook delivery against SSRF Moderate
CVE-2026-27488 was published for openclaw (npm) Feb 20, 2026
Adam55A-code Credited to Adam55A-code
OpenClaw: Reject symlinks in local skill packaging script Moderate
CVE-2026-27485 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent Credited to aether-ai-agent
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows Low
CVE-2026-27484 was published for openclaw (npm) Feb 20, 2026
aether-ai-agent Credited to aether-ai-agent
Sync-in Server has a stored cross-site scripting (XSS) vulnerability Moderate
CVE-2025-67438 was published for @sync-in/server (npm) Feb 20, 2026
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames Moderate
CVE-2026-27480 was published for static-web-server (Rust) Feb 20, 2026
naoyashiga Credited to naoyashiga and joseluisq joseluisq joseluisq
Fickling has a detection bypass via stdlib network-protocol constructors Low
GHSA-83pf-v6qq-pwmr was published for fickling (pip) Feb 20, 2026
NucleiAv Credited to NucleiAv
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names Critical
CVE-2026-25896 was published for fast-xml-parser (npm) Feb 20, 2026
Ochk0 Credited to Ochk0 and yuezk yuezk yuezk
bn.js affected by an infinite loop Moderate
CVE-2026-2739 was published for bn.js (npm) Feb 20, 2026
richardsimko Credited to richardsimko and jochenschmich-aeberle jochenschmich-aeberle jochenschmich-aeberle
Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped Low
CVE-2026-24122 was published for github.com/sigstore/cosign (Go) Feb 19, 2026
1seal Credited to 1seal
Centrifugo v6.6.0 dependency vulnerabilities Moderate
GHSA-j9wf-6r2x-hqmx was published for github.com/centrifugal/centrifugo/v6 (Go) Feb 19, 2026
samir-is-here Credited to samir-is-here
OpenClaw safeBins file-existence oracle information disclosure Moderate
CVE-2026-4040 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
CVE-2026-31996 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() High
CVE-2026-27206 was published for zumba/json-serializer (Composer) Feb 19, 2026
TheDeepOpc Credited to TheDeepOpc, jrbasso, and cjsaylor jrbasso jrbasso
cjsaylor cjsaylor
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration Critical
GHSA-6qr9-g2xw-cw92 was published for github.com/dagu-org/dagu (Go) Feb 19, 2026
ByamB4 Credited to ByamB4
OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace High
CVE-2026-32060 was published for openclaw (npm) Feb 19, 2026
p80n-sec Credited to p80n-sec
Flask session does not add `Vary: Cookie` header when accessed in some ways Low
CVE-2026-27205 was published for flask (pip) Feb 19, 2026
shouryaj98 Credited to shouryaj98
Pannellum has a XSS vulnerability in hot spot attributes Moderate
CVE-2026-27210 was published for pannellum (npm) Feb 19, 2026
lumin9ry Credited to lumin9ry, SUT0L, and Visvge SUT0L SUT0L
Visvge Visvge
Werkzeug safe_join() allows Windows special device names Moderate
CVE-2026-27199 was published for werkzeug (pip) Feb 19, 2026
alimezar Credited to alimezar
Feathers exposes internal headers via unencrypted session cookie High
CVE-2026-27193 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
Feathers has an origin validation bypass via prefix matching High
CVE-2026-27192 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
Feathers has an open redirect in OAuth callback enables account takeover High
CVE-2026-27191 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process High
CVE-2026-27190 was published for deno (Rust) Feb 19, 2026
jackhax Credited to jackhax
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database