GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
101
GitHub Actions
54
Go
4,295
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,107
Rust
1,492
Swift
61
Unreviewed advisories
All unreviewed
5,000+
2,647 advisories
Filter by severity
SafeInstall agent guard shell parsing can miss raw package execution
High
GHSA-xrmc-c5cg-rv7x
was published
for
safeinstall-cli
(npm)
Jul 10, 2026
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
High
CVE-2026-49866
was published
for
@libp2p/gossipsub
(npm)
Jul 10, 2026
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
High
GHSA-j8v8-g9cx-5qf4
was published
for
@better-auth/scim
(npm)
Jul 7, 2026
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
High
CVE-2026-53518
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
High
CVE-2026-53517
was published
for
@better-auth/oauth-provider
(npm)
Jul 7, 2026
Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
High
GHSA-9h47-pqcx-hjr4
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
High
GHSA-86j7-9j95-vpqj
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
High
CVE-2026-53516
was published
for
better-auth
(npm)
Jul 7, 2026
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
High
CVE-2026-53514
was published
for
better-auth
(npm)
Jul 7, 2026
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
High
GHSA-322x-v876-g883
was published
for
@asymmetric-effort/nogginlessdom
(npm)
Jul 2, 2026
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion
High
CVE-2026-52746
was published
for
jsonata
(npm)
Jul 2, 2026
Grackle: Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)
High
GHSA-f9ff-5x35-7gfw
was published
for
@grackle-ai/auth
(npm)
Jul 2, 2026
electerm has Command Injection in File System Operations (rmrf, mv, cp)
High
CVE-2026-49255
was published
for
electerm
(npm)
Jul 2, 2026
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling
High
CVE-2026-49253
was published
for
electerm
(npm)
Jul 2, 2026
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields
High
CVE-2026-49250
was published
for
@conform-to/dom
(npm)
Jul 2, 2026
Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)
High
GHSA-vv65-f55v-xm6g
was published
for
@grackle-ai/powerline
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request
High
CVE-2026-50288
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
OpenClaw: Native command authorization could skip owner-command enforcement
High
GHSA-p73f-w79w-jqr5
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
High
GHSA-j472-gf56-x589
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Trusted retry endpoint checks could match hostname prefixes
High
GHSA-77q5-rr5v-x43q
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Telegram interactive callbacks could skip commands.allowFrom
High
GHSA-w5ww-7chg-mxcq
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Matrix allowFrom could bind to mutable display names
High
CVE-2026-53811
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance
High
CVE-2026-53816
was published
for
openclaw
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API