Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
2,989
Maven
5,000+
npm
4,699
NuGet
788
pip
4,328
Pub
12
RubyGems
987
Rust
1,133
Swift
49
Unreviewed advisories
All unreviewed
5,000+

1,100 advisories

Loading
Ghost has a SQL injection in Content API Critical
CVE-2026-26980 was published for ghost (npm) Feb 18, 2026
OpenClaw has a Path Traversal in Plugin Installation Critical
GHSA-qrq5-wjgg-rvqw was published for openclaw (npm) Feb 17, 2026
logicx24
Credited to logicx24
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching) Critical
GHSA-4rj2-gpmh-qq5x was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
MegaManSec
Credited to simecek, stanislavfortaisle, and MegaManSec
Nextcloud Talk allowlist bypass via actor.name display name spoofing Critical
GHSA-r5h9-vjqc-hq3r was published for @openclaw/nextcloud-talk (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
GHSA-fhvm-j76f-qmjv was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated Critical
GHSA-rv39-79c4-7459 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
set-in Affected by Prototype Pollution Critical
CVE-2026-26021 was published for set-in (npm) Feb 11, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
CASL Ability is Vulnerable to Prototype Pollution Critical
CVE-2026-1774 was published for @casl/ability (npm) Feb 10, 2026
FUXA Unauthenticated Remote Arbitrary Scheduler Write Critical
CVE-2026-25939 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) Critical
CVE-2026-25881 was published for @nyariv/sandboxjs (npm) Feb 10, 2026
k14uz
Credited to k14uz
@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses Critical
CVE-2026-25641 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
cristianstaicu
Credited to cristianstaicu
@nyariv/sandboxjs has a Sandbox Escape vulnerability Critical
CVE-2026-25587 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
c0rydoras
Credited to c0rydoras
@nyariv/sandboxjs has Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution Critical
CVE-2026-25586 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
sofianeelhor
Credited to sofianeelhor
@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters Critical
CVE-2026-25544 was published for @payloadcms/drizzle (npm) Feb 5, 2026
thxtech
Credited to thxtech
@nyariv/sandboxjs has a Sandbox Escape issue Critical
CVE-2026-25520 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
c0rydoras
Credited to c0rydoras
FUXA Unauthenticated Remote Arbitrary Device Tag Write Critical
CVE-2026-25752 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API Critical
CVE-2026-25895 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration Critical
CVE-2026-25894 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Exposure of Plaintext Database Credentials Critical
CVE-2026-25751 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting Critical
CVE-2026-25893 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
survey-pdf Upgraded jsPDF Version Due to Security Vulnerability Critical
CVE-2026-25630 was published for survey-pdf (npm) Feb 4, 2026
n8n has a Python sandbox escape Critical
CVE-2026-25115 was published for n8n (npm) Feb 4, 2026
MarcoPoloPie c0rydoras
Credited to MarcoPoloPie and c0rydoras
n8n Merge Node has Arbitrary File Write leading to RCE Critical
CVE-2026-25056 was published for n8n (npm) Feb 4, 2026
nlgbao1340
Credited to nlgbao1340
n8n has OS Command Injection in Git Node Critical
CVE-2026-25053 was published for n8n (npm) Feb 4, 2026
fatihhcelik simonkoeck
yadhukrishnam
Credited to fatihhcelik, simonkoeck, and yadhukrishnam
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database