Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,646 advisories

Loading
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() Moderate
CVE-2026-39410 was published for hono (npm) Apr 8, 2026
tikitiki0370 Credited to tikitiki0370
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses Moderate
CVE-2026-39409 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono missing validation of cookie name on write path in setCookie() Moderate
GHSA-26pp-8wgv-hjvm was published for hono (npm) Apr 8, 2026
athuljayaram Credited to athuljayaram
Hono: Path traversal in toSSG() allows writing files outside the output directory Moderate
CVE-2026-39408 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39407 was published for hono (npm) Apr 8, 2026
blakeembrey Credited to blakeembrey
@hono/node-server: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39406 was published for @hono/node-server (npm) Apr 8, 2026
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools Moderate
CVE-2026-39398 was published for openclaw-claude-bridge (npm) Apr 8, 2026
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections Critical
CVE-2026-39397 was published for @delmaredigital/payload-puck (npm) Apr 8, 2026
Dag-Rui Credited to Dag-Rui
Drizzle ORM has SQL injection via improperly escaped SQL identifiers High
CVE-2026-39356 was published for drizzle-orm (npm) Apr 8, 2026
EthanKim88 Credited to EthanKim88 and 0x90sh 0x90sh 0x90sh
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests High
CVE-2026-39371 was published for rwsdk (npm) Apr 8, 2026
zebbern Credited to zebbern
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
coursevault-preview has a path traversal due to improper base-directory boundary validation Moderate
CVE-2026-35613 was published for coursevault-preview (npm) Apr 8, 2026
moritzmyrz Credited to moritzmyrz and KevinJohannesen KevinJohannesen KevinJohannesen
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// Moderate
GHSA-83f3-hh45-vfw9 was published for openclaw (npm) Apr 7, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Shared-secret comparison call sites leaked length information through timing Moderate
GHSA-jj6q-rrrf-h66h was published for openclaw (npm) Apr 7, 2026
kexinoh Credited to kexinoh
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders Moderate
GHSA-rxmx-g7hr-8mx4 was published for openclaw (npm) Apr 7, 2026
D0ub1e-D Credited to D0ub1e-D
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections Moderate
GHSA-fh32-73r9-rgh5 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: pnpm dlx approvals did not bind local script operands Moderate
GHSA-w6wx-jq6j-6mcj was published for openclaw (npm) Apr 7, 2026
Kazamayc Credited to Kazamayc
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding Moderate
GHSA-98ch-45wp-ch47 was published for openclaw (npm) Apr 7, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients Moderate
GHSA-2f7j-rp58-mr42 was published for openclaw (npm) Apr 7, 2026
topsec-bunney Credited to topsec-bunney
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup Moderate
GHSA-2qrv-rc5x-2g2h was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill Moderate
GHSA-5hff-46vh-rxmw was published for openclaw (npm) Apr 7, 2026
EaEa0001 Credited to EaEa0001
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch Moderate
GHSA-4p4f-fc8q-84m3 was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin
OpenClaw: QQ Bot structured payloads could read arbitrary local files Moderate
GHSA-846p-hgpv-vphc was published for openclaw (npm) Apr 7, 2026
feiyang666 Credited to feiyang666
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database