Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
47
Go
3,340
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,549
Pub
12
RubyGems
1,012
Rust
1,202
Swift
51
Unreviewed advisories
All unreviewed
5,000+

27,905 advisories

Loading
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code High
CVE-2026-33943 was published for happy-dom (npm) Mar 26, 2026
tndud042713 Credited to tndud042713
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection Moderate
CVE-2026-33916 was published for handlebars (npm) Mar 26, 2026
ByamB4 Credited to ByamB4
Loofah has improper detection of disallowed URIs via `allowed_uri?` Low
GHSA-2j22-pr5w-6gq8 was published for loofah (RubyGems) Mar 26, 2026
Ella Core Panics during NAS Authentication Response/Failure with missing IEs Moderate
CVE-2026-33907 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core has a Denial of Service via SCTP connection cleanup deadlock Moderate
CVE-2026-33904 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
Ella Core panics when processing a crafted NGAP LocationReport message Moderate
CVE-2026-33903 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
ImageMagick: META reader memory leak in the APP1JPEG input path Low
GHSA-9r56-3gjq-hqf7 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 26, 2026
unbengable12 Credited to unbengable12
ImageMagick has possible memory leak in ASHLAR coder when action fails Low
GHSA-6p22-q7w5-33pg was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 26, 2026
unbengable12 Credited to unbengable12
Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery Moderate
GHSA-hff2-gcpx-8f4p was published for apollo-router (Rust) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) High
CVE-2026-33896 was published for node-forge (npm) Mar 26, 2026
peaktwilight Credited to peaktwilight
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla and dderpym dderpym dderpym
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input High
CVE-2026-33891 was published for node-forge (npm) Mar 26, 2026
Kr0emer Credited to Kr0emer
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention Moderate
GHSA-9q82-xgwf-vj6h was published for @apollo/server (npm) Mar 26, 2026
AmirMSafari Credited to AmirMSafari
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013) High
GHSA-7xr2-q9vf-x4r5 was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts Moderate
GHSA-cfp9-w5v9-3q4h was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting High
GHSA-74wf-h43j-vvmj was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision Moderate
GHSA-rqp8-q22p-5j9q was published for openclaw (npm) Mar 26, 2026
tdjackey Credited to tdjackey
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions Moderate
GHSA-x2cm-hg9c-mf5w was published for openclaw (npm) Mar 26, 2026
space08 Credited to space08
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection Moderate
GHSA-844j-xrrq-wgh4 was published for openclaw (npm) Mar 26, 2026
lintsinghua Credited to lintsinghua
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve Critical
GHSA-hf68-49fm-59cq was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals High
GHSA-mp66-rf4f-mhh8 was published for openclaw (npm) Mar 26, 2026
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Moderate
GHSA-xhq5-45pm-2gjr was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation Low
GHSA-pw7h-9g6p-c378 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database