Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,405
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,641
Pub
13
RubyGems
1,026
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,578 advisories

Loading
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
GHSA-9jpj-g8vv-j5mf was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
defu: Prototype pollution via `__proto__` key in defaults argument High
CVE-2026-35209 was published for defu (npm) Apr 4, 2026
BlackHatExploitation Credited to BlackHatExploitation and kricsleo kricsleo kricsleo
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries High
CVE-2026-35442 was published for directus (npm) Apr 4, 2026
Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver High
GHSA-6q22-g298-grjh was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits Moderate
CVE-2026-35441 was published for directus (npm) Apr 4, 2026
liyander Credited to liyander
Directus: Sensitive fields exposed in revision history Moderate
GHSA-mvv8-v4jj-g47j was published for directus (npm) Apr 4, 2026
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite High
CVE-2026-35412 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import High
CVE-2026-35409 was published for directus (npm) Apr 4, 2026
alissonbezerra Credited to alissonbezerra and odgrso odgrso odgrso
Directus: GraphQL Schema SDL Disclosure Setting Moderate
CVE-2026-35413 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research and odgrso odgrso odgrso
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Directus: Open Redirect in Admin 2FA Setup Page Moderate
CVE-2026-35411 was published for directus (npm) Apr 4, 2026
ComfortablyCoding Credited to ComfortablyCoding, Akokonunes, and neo-ai-engineer Akokonunes Akokonunes
neo-ai-engineer neo-ai-engineer
Directus: Path Traversal and Broken Access Control in File Management API High
GHSA-393c-p46r-7c95 was published for directus (npm) Apr 4, 2026
r3dpower Credited to r3dpower, pmins99, and odgrso pmins99 pmins99
odgrso odgrso
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step Critical
CVE-2026-35216 was published for @budibase/server (npm) Apr 4, 2026
da7om85 Credited to da7om85
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write High
CVE-2026-35214 was published for @budibase/server (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url High
CVE-2026-35394 was published for @mobilenext/mobile-mcp (npm) Apr 4, 2026
manthanghasadiya Credited to manthanghasadiya
@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags High
GHSA-5jg4-p4qw-cgfr was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
@stablelib/cbor: Prototype poisoning via `__proto__` map keys in CBOR decoding High
GHSA-w48f-fwg7-ww6p was published for @stablelib/cbor (npm) Apr 4, 2026
Jvr2022 Credited to Jvr2022
@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing High
CVE-2026-35213 was published for @hapi/content (npm) Apr 4, 2026
Parse Server: File upload Content-Type override via extension mismatch Low
CVE-2026-35200 was published for parse-server (npm) Apr 4, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
Budibase: Command Injection in Bash Automation Step High
CVE-2026-25044 was published for @budibase/server (npm) Apr 3, 2026
omkarparth Credited to omkarparth
Electron: Use-after-free in offscreen shared texture release() callback Low
CVE-2026-34764 was published for electron (npm) Apr 3, 2026
daffainfo Credited to daffainfo
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler Moderate
CVE-2026-34217 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
chawdamrunal Credited to chawdamrunal
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser Moderate
CVE-2026-34211 was published for @nyariv/sandboxjs (npm) Apr 3, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database