Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,932 advisories

Loading
Clerk has an authorization bypass when combining organization, billing, or reverification checks High
CVE-2026-42349 was published for @clerk/astro (npm) Apr 30, 2026
n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders High
CVE-2026-42449 was published for n8n-mcp (npm) Apr 30, 2026
manthanghasadiya Credited to manthanghasadiya
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS High
CVE-2026-40171 was published for @jupyter-notebook/help-extension (npm) Apr 30, 2026
dtrops Credited to dtrops, Carreau, Yann-P, krassowski, and jtpio Carreau Carreau
Yann-P Yann-P krassowski krassowski jtpio jtpio
Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool Moderate
CVE-2026-41686 was published for @anthropic-ai/sdk (npm) Apr 29, 2026
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters High
CVE-2026-42353 was published for i18next-http-middleware (npm) Apr 29, 2026
Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer High
CVE-2026-41680 was published for marked (npm) Apr 29, 2026
MaanVader Credited to MaanVader
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Moderate
GHSA-c28g-vh7m-fm7v was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
n8n has XML Node Prototype Pollution that to RCE Critical
CVE-2026-42232 was published for n8n (npm) Apr 29, 2026
simonkoeck Credited to simonkoeck
n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE Critical
CVE-2026-42231 was published for n8n (npm) Apr 29, 2026
a-tallat Credited to a-tallat
n8n Vulnerable to XSS via MCP OAuth client High
CVE-2026-42235 was published for n8n (npm) Apr 29, 2026
OscarBataille Credited to OscarBataille
n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay High
CVE-2026-42226 was published for n8n (npm) Apr 29, 2026
ESPanda666 Credited to ESPanda666
n8n has a Python Task Runner Sandbox Escape Vulnerability High
CVE-2026-42234 was published for n8n (npm) Apr 29, 2026
dorjoos Credited to dorjoos
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure Moderate
CVE-2026-42227 was published for n8n (npm) Apr 29, 2026
nkoorty Credited to nkoorty and jjjutla jjjutla jjjutla
n8n Vulnerable to Unauthenticated Denial of Service via MCP Client Registration High
CVE-2026-42236 was published for n8n (npm) Apr 29, 2026
ori-ron Credited to ori-ron
n8n Vulnerable to Hijacking of Unauthenticated Chat Execution Moderate
CVE-2026-42228 was published for n8n (npm) Apr 29, 2026
34selen Credited to 34selen
n8n has SQL Injection in SeaTable Node Moderate
CVE-2026-42229 was published for n8n (npm) Apr 29, 2026
sm1ee Credited to sm1ee
n8n has Open Redirect in MCP OAuth Consent Flow Moderate
CVE-2026-42230 was published for n8n (npm) Apr 29, 2026
ori-ron Credited to ori-ron
n8n has SQL Injection in Oracle Database Node via Limit Field Moderate
CVE-2026-42233 was published for n8n (npm) Apr 29, 2026
pawbednarz Credited to pawbednarz
n8n has SQL Injection in Snowflake and MySQL Nodes Moderate
CVE-2026-42237 was published for n8n (npm) Apr 29, 2026
OpenClaw: Agent gateway config mutations could change protected operator settings Moderate
GHSA-7jm2-g593-4qrc was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy Moderate
GHSA-qrp5-gfw2-gxv4 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests Moderate
GHSA-h2vw-ph2c-jvwf was published for openclaw (npm) Apr 25, 2026
nexrin Credited to nexrin
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks Low
GHSA-j4c5-89f5-f3pm was published for openclaw (npm) Apr 25, 2026
nicky-cc Credited to nicky-cc
OpenClaw: Paired-device pairing actions were not limited to the caller device Low
GHSA-xrq9-jm7v-g9h7 was published for openclaw (npm) Apr 25, 2026
Hinotoi-agent Credited to Hinotoi-agent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database