GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,183 advisories
Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step
Critical
CVE-2026-35216
was published
for
@budibase/server
(npm)
Apr 4, 2026
SandboxJS: Sandbox integrity escape
Critical
CVE-2026-34208
was published
for
@nyariv/sandboxjs
(npm)
Apr 3, 2026
Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
Critical
CVE-2026-33950
was published
for
signalk-server
(npm)
Apr 3, 2026
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Critical
CVE-2026-31818
was published
for
@budibase/backend-core
(npm)
Apr 3, 2026
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Critical
CVE-2026-35039
was published
for
fast-jwt
(npm)
Apr 3, 2026
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
Critical
GHSA-xg6x-h9c9-2m83
was published
for
better-auth
(npm)
Apr 3, 2026
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
Critical
GHSA-9p3r-hh9g-5cmg
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
Critical
GHSA-g5cg-8x5w-7jpm
was published
for
openclaw
(npm)
Apr 2, 2026
fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key
Critical
CVE-2026-34950
was published
for
fast-jwt
(npm)
Apr 2, 2026
Payload has Unvalidated Input in Password Recovery Endpoints
Critical
CVE-2026-34751
was published
for
@payloadcms/graphql
(npm)
Apr 1, 2026
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
Critical
GHSA-8rh7-6779-cjqq
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
Critical
GHSA-j7p2-qcwm-94v4
was published
for
openclaw
(npm)
Mar 31, 2026
parse-server has cloud function validator bypass via prototype chain traversal
Critical
CVE-2026-34532
was published
for
parse-server
(npm)
Mar 31, 2026
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
Critical
CVE-2026-34156
was published
for
@nocobase/plugin-workflow-javascript
(npm)
Mar 30, 2026
MikroORM is vulnerable to SQL Injection via specially crafted object
Critical
CVE-2026-34220
was published
for
@mikro-orm/core
(npm)
Mar 29, 2026
mppx has multiple payment bypass and griefing vulnerabilities
Critical
GHSA-8x4m-qw58-3pcx
was published
for
mppx
(npm)
Mar 29, 2026
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect
Critical
GHSA-fqw4-mph7-2vr8
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
Critical
GHSA-9hjh-fr4f-gxc4
was published
for
openclaw
(npm)
Mar 27, 2026
Handlebars.js has JavaScript Injection via AST Type Confusion
Critical
CVE-2026-33937
was published
for
handlebars
(npm)
Mar 27, 2026
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
Critical
GHSA-hf68-49fm-59cq
was published
for
openclaw
(npm)
Mar 26, 2026
Convict has Prototype Pollution via startsWith() function
Critical
CVE-2026-33864
was published
for
convict
(npm)
Mar 26, 2026
Convict has prototype pollution via load(), loadFile(), and schema initialization
Critical
CVE-2026-33863
was published
for
convict
(npm)
Mar 26, 2026
ProTip!
Advisories are also available from the
GraphQL API