Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,430
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,680
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

5,653 advisories

Loading
Axios HTTP/2 Session Cleanup State Corruption Vulnerability Moderate
CVE-2026-39865 was published for axios (npm) Apr 8, 2026
vmulas Credited to vmulas
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO) Moderate
GHSA-vvjj-xcjg-gr5g was published for nodemailer (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read Moderate
CVE-2026-39859 was published for liquidjs (npm) Apr 8, 2026
Ryu7zz Credited to Ryu7zz
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel Moderate
CVE-2026-39412 was published for liquidjs (npm) Apr 8, 2026
tndud042713 Credited to tndud042713
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header Moderate
CVE-2026-39411 was published for @lobehub/lobehub (npm) Apr 8, 2026
13ernkastel Credited to 13ernkastel
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates High
CVE-2026-35525 was published for liquidjs (npm) Apr 8, 2026
Jvr2022 Credited to Jvr2022
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter Low
CVE-2026-34166 was published for liquidjs (npm) Apr 8, 2026
offset Credited to offset
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() Moderate
CVE-2026-39410 was published for hono (npm) Apr 8, 2026
tikitiki0370 Credited to tikitiki0370
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses Moderate
CVE-2026-39409 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono missing validation of cookie name on write path in setCookie() Moderate
GHSA-26pp-8wgv-hjvm was published for hono (npm) Apr 8, 2026
athuljayaram Credited to athuljayaram
Hono: Path traversal in toSSG() allows writing files outside the output directory Moderate
CVE-2026-39408 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39407 was published for hono (npm) Apr 8, 2026
blakeembrey Credited to blakeembrey
@hono/node-server: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39406 was published for @hono/node-server (npm) Apr 8, 2026
openclaw-claude-bridge: sandbox is not effective - `--allowed-tools ""` does not restrict available tools Moderate
CVE-2026-39398 was published for openclaw-claude-bridge (npm) Apr 8, 2026
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections Critical
CVE-2026-39397 was published for @delmaredigital/payload-puck (npm) Apr 8, 2026
Dag-Rui Credited to Dag-Rui
Drizzle ORM has SQL injection via improperly escaped SQL identifiers High
CVE-2026-39356 was published for drizzle-orm (npm) Apr 8, 2026
EthanKim88 Credited to EthanKim88 and 0x90sh 0x90sh 0x90sh
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` Moderate
CVE-2026-39381 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests High
CVE-2026-39371 was published for rwsdk (npm) Apr 8, 2026
zebbern Credited to zebbern
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
coursevault-preview has a path traversal due to improper base-directory boundary validation Moderate
CVE-2026-35613 was published for coursevault-preview (npm) Apr 8, 2026
moritzmyrz Credited to moritzmyrz and KevinJohannesen KevinJohannesen KevinJohannesen
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws:// Moderate
GHSA-83f3-hh45-vfw9 was published for openclaw (npm) Apr 7, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Shared-secret comparison call sites leaked length information through timing Moderate
GHSA-jj6q-rrrf-h66h was published for openclaw (npm) Apr 7, 2026
kexinoh Credited to kexinoh
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders Moderate
GHSA-rxmx-g7hr-8mx4 was published for openclaw (npm) Apr 7, 2026
D0ub1e-D Credited to D0ub1e-D
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections Moderate
GHSA-fh32-73r9-rgh5 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database