Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,439
Maven
5,000+
npm
5,000+
NuGet
883
pip
4,695
Pub
13
RubyGems
1,031
Rust
1,222
Swift
53
Unreviewed advisories
All unreviewed
5,000+

28,660 advisories

Loading
OpenClaw safeBins file-existence oracle information disclosure Moderate
CVE-2026-4040 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
CVE-2026-31996 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() High
CVE-2026-27206 was published for zumba/json-serializer (Composer) Feb 19, 2026
TheDeepOpc Credited to TheDeepOpc, jrbasso, and cjsaylor jrbasso jrbasso
cjsaylor cjsaylor
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration Critical
GHSA-6qr9-g2xw-cw92 was published for github.com/dagu-org/dagu (Go) Feb 19, 2026
ByamB4 Credited to ByamB4
OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace High
CVE-2026-32060 was published for openclaw (npm) Feb 19, 2026
p80n-sec Credited to p80n-sec
Flask session does not add `Vary: Cookie` header when accessed in some ways Low
CVE-2026-27205 was published for flask (pip) Feb 19, 2026
shouryaj98 Credited to shouryaj98
Pannellum has a XSS vulnerability in hot spot attributes Moderate
CVE-2026-27210 was published for pannellum (npm) Feb 19, 2026
lumin9ry Credited to lumin9ry, SUT0L, and Visvge SUT0L SUT0L
Visvge Visvge
Werkzeug safe_join() allows Windows special device names Moderate
CVE-2026-27199 was published for werkzeug (pip) Feb 19, 2026
alimezar Credited to alimezar
Feathers exposes internal headers via unencrypted session cookie High
CVE-2026-27193 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
Feathers has an origin validation bypass via prefix matching High
CVE-2026-27192 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
Feathers has an open redirect in OAuth callback enables account takeover High
CVE-2026-27191 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process High
CVE-2026-27190 was published for deno (Rust) Feb 19, 2026
jackhax Credited to jackhax
Formwork Improperly Managed Privileges in User creation High
CVE-2026-27198 was published for getformwork/formwork (Composer) Feb 19, 2026
G3XAR Credited to G3XAR
Statamic affected by privilege escalation via stored cross-site scripting High
CVE-2026-27196 was published for statamic/cms (Composer) Feb 19, 2026
genneta Credited to genneta
CPU exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-88qp-p4qg-rqm6 was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Memory exhaustion in SvelteKit remote form deserialization (experimental only) Moderate
GHSA-vrhm-gvg7-fpcf was published for @sveltejs/kit (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue affected by CPU and memory amplification from sparse arrays Low
GHSA-33hq-fvwr-56pm was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed Low
GHSA-8qm3-746x-r74r was published for devalue (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
D-Tale affected by Remote Code Execution through the /save-column-filter endpoint High
CVE-2026-27194 was published for dtale (pip) Feb 19, 2026
Svelte SSR attribute spreading includes inherited properties from prototype chain Moderate
CVE-2026-27125 was published for svelte (npm) Feb 19, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github
Prototype pollution in swiper Critical
CVE-2026-27212 was published for swiper (npm) Feb 19, 2026
kevgeoleo Credited to kevgeoleo, vdata1, and reallyTG vdata1 vdata1
reallyTG reallyTG
eBay API MCP Server Affected by Environment Variable Injection High
CVE-2026-27203 was published for ebay-mcp (npm) Feb 19, 2026
nedlir Credited to nedlir
PyO3 has type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature High
GHSA-47qc-857f-7w7f was published for pyo3 (Rust) Feb 19, 2026
Hono added timing comparison hardening in basicAuth and bearerAuth Low
GHSA-gq3j-xvxp-8hrf was published for hono (npm) Feb 19, 2026
Exagone313 Credited to Exagone313
OpenClaw replaced a deprecated sandbox hash algorithm High
CVE-2026-28479 was published for openclaw (npm) Feb 19, 2026
kexinoh Credited to kexinoh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database