Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
40
GitHub Actions
41
Go
3,003
Maven
5,000+
npm
4,732
NuGet
788
pip
4,341
Pub
12
RubyGems
987
Rust
1,137
Swift
50
Unreviewed advisories
All unreviewed
5,000+

1,102 advisories

Loading
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names Critical
CVE-2026-25896 was published for fast-xml-parser (npm) Feb 20, 2026
Ochk0
Credited to Ochk0
Ghost has a SQL injection in Content API Critical
CVE-2026-26980 was published for ghost (npm) Feb 18, 2026
Prototype pollution in swiper Critical
CVE-2026-27212 was published for swiper (npm) Feb 19, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE Critical
CVE-2026-25142 was published for @nyariv/sandboxjs (npm) Feb 2, 2026
c0rydoras
Credited to c0rydoras
OpenClaw has a Path Traversal in Plugin Installation Critical
GHSA-qrq5-wjgg-rvqw was published for openclaw (npm) Feb 17, 2026
logicx24
Credited to logicx24
OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching) Critical
GHSA-4rj2-gpmh-qq5x was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
MegaManSec
Credited to simecek, stanislavfortaisle, and MegaManSec
Nextcloud Talk allowlist bypass via actor.name display name spoofing Critical
GHSA-r5h9-vjqc-hq3r was published for @openclaw/nextcloud-talk (npm) Feb 17, 2026
MegaManSec
Credited to MegaManSec
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
GHSA-fhvm-j76f-qmjv was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
pbkdf2 silently disregards Uint8Array input, returning static keys Critical
CVE-2025-6547 was published for pbkdf2 (npm) Jun 23, 2025
ChALkeR ljharb
Credited to ChALkeR and ljharb
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated Critical
GHSA-rv39-79c4-7459 was published for openclaw (npm) Feb 17, 2026
simecek stanislavfortaisle
Credited to simecek and stanislavfortaisle
set-in Affected by Prototype Pollution Critical
CVE-2026-26021 was published for set-in (npm) Feb 11, 2026
kevgeoleo vdata1
reallyTG
Credited to kevgeoleo, vdata1, and reallyTG
SQL Injection in typeorm Critical
GHSA-w7q7-vjp8-7jv4 was published for typeorm (npm) Jun 6, 2019
sunnypatell
Credited to sunnypatell
CASL Ability is Vulnerable to Prototype Pollution Critical
CVE-2026-1774 was published for @casl/ability (npm) Feb 10, 2026
FUXA Unauthenticated Remote Code Execution in Node-RED Integration Critical
CVE-2026-25938 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API Critical
CVE-2026-25895 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Arbitrary Scheduler Write Critical
CVE-2026-25939 was published for fuxa-server (npm) Feb 10, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration Critical
CVE-2026-25894 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting Critical
CVE-2026-25893 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) Critical
CVE-2026-25881 was published for @nyariv/sandboxjs (npm) Feb 10, 2026
k14uz
Credited to k14uz
@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters Critical
CVE-2026-25544 was published for @payloadcms/drizzle (npm) Feb 5, 2026
thxtech
Credited to thxtech
@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses Critical
CVE-2026-25641 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
cristianstaicu
Credited to cristianstaicu
@nyariv/sandboxjs has a Sandbox Escape vulnerability Critical
CVE-2026-25587 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
c0rydoras
Credited to c0rydoras
@nyariv/sandboxjs has Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution Critical
CVE-2026-25586 was published for @nyariv/sandboxjs (npm) Feb 5, 2026
sofianeelhor
Credited to sofianeelhor
FUXA Unauthenticated Remote Arbitrary Device Tag Write Critical
CVE-2026-25752 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
FUXA Unauthenticated Exposure of Plaintext Database Credentials Critical
CVE-2026-25751 was published for fuxa-server (npm) Feb 5, 2026
wodzen
Credited to wodzen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database