Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
48
GitHub Actions
48
Go
3,391
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,614
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

5,470 advisories

Loading
mcp-handler has a tool response leak across concurrent client sessions ('Race Condition') High
GHSA-w2fm-25vw-vh7f was published for mcp-handler (npm) Apr 1, 2026
lodash vulnerable to Code Injection via `_.template` imports key names High
CVE-2026-4800 was published for lodash (npm) Apr 1, 2026
dolevmiz1 Credited to dolevmiz1, bugbunny-research, M0nd0R, UlisesGascon, falsyvalues, jonchurch, threalwinky, and jdalton bugbunny-research bugbunny-research
M0nd0R M0nd0R UlisesGascon UlisesGascon falsyvalues falsyvalues jonchurch jonchurch threalwinky threalwinky jdalton jdalton
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` Moderate
CVE-2026-2950 was published for lodash (npm) Apr 1, 2026
Haruna38 Credited to Haruna38, shpik-kr, maru1009, ott3r07, zolbooo, backuardo, falsyvalues, jonchurch, jdalton, and UlisesGascon shpik-kr shpik-kr
maru1009 maru1009 ott3r07 ott3r07 zolbooo zolbooo backuardo backuardo falsyvalues falsyvalues jonchurch jonchurch jdalton jdalton UlisesGascon UlisesGascon
NocoBase Has SQL Injection via template variable substitution in workflow SQL node High
CVE-2026-34825 was published for @nocobase/plugin-workflow-sql (npm) Apr 1, 2026
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Haraka affected by DoS via `__proto__` email header High
CVE-2026-34752 was published for Haraka (npm) Apr 1, 2026
sebastianosrt Credited to sebastianosrt and msimerson msimerson msimerson
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration High
CVE-2026-34725 was published for dbgate-web (npm) Apr 1, 2026
ngocnn97 Credited to ngocnn97
StableLib Ed25519 Signature Malleability via Missing S < L Check Moderate
GHSA-x3ff-w252-2g7j was published for @stablelib/ed25519 (npm) Apr 1, 2026
kodareef5 Credited to kodareef5
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints Moderate
CVE-2026-34750 was published for @payloadcms/storage-azure (npm) Apr 1, 2026
SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6 Moderate
CVE-2026-34526 was published for sillytavern (npm) Apr 1, 2026
bulmax9797-sketch Credited to bulmax9797-sketch
SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root High
CVE-2026-34524 was published for sillytavern (npm) Apr 1, 2026
maru1009 Credited to maru1009
SillyTavern: Path Traversal allows file existence oracle Moderate
CVE-2026-34523 was published for sillytavern (npm) Apr 1, 2026
kirakira-dev Credited to kirakira-dev
SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory High
CVE-2026-34522 was published for sillytavern (npm) Apr 1, 2026
maru1009 Credited to maru1009
Payload has a CSRF Protection Bypass in Authentication Flow Moderate
CVE-2026-34749 was published for payload (npm) Apr 1, 2026
Payload has Authenticated SSRF via Upload Functionality High
CVE-2026-34746 was published for payload (npm) Apr 1, 2026
@payloadcms/next has Stored XSS in Admin Panel High
CVE-2026-34748 was published for @payloadcms/next (npm) Apr 1, 2026
Payload has an SQL Injection via Query Handling High
CVE-2026-34747 was published for payload (npm) Apr 1, 2026
hessandrew Credited to hessandrew and arkmarta arkmarta arkmarta
Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories Moderate
CVE-2026-34451 was published for @anthropic-ai/sdk (npm) Apr 1, 2026
Payload has Unvalidated Input in Password Recovery Endpoints Critical
CVE-2026-34751 was published for @payloadcms/graphql (npm) Apr 1, 2026
wsk3r Credited to wsk3r
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions High
CVE-2026-34604 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions High
CVE-2026-34603 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion High
CVE-2026-34601 was published for @xmldom/xmldom (npm) Apr 1, 2026
thesmartshadow Credited to thesmartshadow
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value Moderate
CVE-2026-34595 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
Parse Server has a session field immutability bypass via falsy-value guard Moderate
CVE-2026-34574 was published for parse-server (npm) Apr 1, 2026
bugbunny-research Credited to bugbunny-research and mtrezza mtrezza mtrezza
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover Critical
GHSA-8rh7-6779-cjqq was published for openclaw (npm) Apr 1, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database