Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

2,647 advisories

Loading
SafeInstall agent guard shell parsing can miss raw package execution High
GHSA-xrmc-c5cg-rv7x was published for safeinstall-cli (npm) Jul 10, 2026
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays High
CVE-2026-49866 was published for @libp2p/gossipsub (npm) Jul 10, 2026
tahaafarooq Credited to tahaafarooq
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers High
GHSA-j8v8-g9cx-5qf4 was published for @better-auth/scim (npm) Jul 7, 2026
Jvr2022 Credited to Jvr2022
chdanielmueller Credited to chdanielmueller
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption High
CVE-2026-53517 was published for @better-auth/oauth-provider (npm) Jul 7, 2026
chdanielmueller Credited to chdanielmueller
subhanUmer Credited to subhanUmer
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp High
GHSA-86j7-9j95-vpqj was published for better-auth (npm) Jul 7, 2026
hillalee Credited to hillalee
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email High
CVE-2026-53516 was published for better-auth (npm) Jul 7, 2026
avrmeduard Credited to avrmeduard
widavies Credited to widavies
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header High
CVE-2026-55501 was published for 9router (npm) Jul 6, 2026
dinhvaren Credited to dinhvaren
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write High
GHSA-322x-v876-g883 was published for @asymmetric-effort/nogginlessdom (npm) Jul 2, 2026
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion High
CVE-2026-52746 was published for jsonata (npm) Jul 2, 2026
peaktwilight Credited to peaktwilight
electerm has Command Injection in File System Operations (rmrf, mv, cp) High
CVE-2026-49255 was published for electerm (npm) Jul 2, 2026
hibrian827 Credited to hibrian827
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling High
CVE-2026-49253 was published for electerm (npm) Jul 2, 2026
hibrian827 Credited to hibrian827
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields High
CVE-2026-49250 was published for @conform-to/dom (npm) Jul 2, 2026
jviide Credited to jviide
@asymmetric-effort/specifyjs: URL parse failure silently allows request High
CVE-2026-50288 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw: Native command authorization could skip owner-command enforcement High
GHSA-p73f-w79w-jqr5 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks High
GHSA-j472-gf56-x589 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Trusted retry endpoint checks could match hostname prefixes High
GHSA-77q5-rr5v-x43q was published for openclaw (npm) Jul 2, 2026
ccy41928-del Credited to ccy41928-del
OpenClaw: Telegram interactive callbacks could skip commands.allowFrom High
GHSA-w5ww-7chg-mxcq was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Matrix allowFrom could bind to mutable display names High
CVE-2026-53811 was published for openclaw (npm) Jul 2, 2026
PhilipPhil Credited to PhilipPhil
OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance High
CVE-2026-53816 was published for openclaw (npm) Jul 2, 2026
cantinagen Credited to cantinagen and Ellahinator Ellahinator Ellahinator
ProTip! Advisories are also available from the GraphQL API