GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,910 advisories
auth-js Vulnerable to Insecure Path Routing from Malformed User Input
Low
CVE-2025-48370
was published
for
@supabase/auth-js
(npm)
May 27, 2025
Remote Code Execution (RCE) via String Literal Injection into math-codegen
Critical
CVE-2026-41507
was published
for
math-codegen
(npm)
Apr 17, 2026
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Moderate
CVE-2026-39865
was published
for
axios
(npm)
Apr 8, 2026
OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery
Moderate
CVE-2026-41302
was published
for
openclaw
(npm)
Apr 2, 2026
OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
Moderate
CVE-2026-28476
was published
for
openclaw
(npm)
Feb 18, 2026
Astro: XSS in define:vars via incomplete </script> tag sanitization
Moderate
CVE-2026-41067
was published
for
astro
(npm)
Apr 21, 2026
Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)
Low
CVE-2026-41321
was published
for
@astrojs/cloudflare
(npm)
Apr 23, 2026
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
Moderate
CVE-2026-41322
was published
for
@astrojs/node
(npm)
Apr 23, 2026
electerm: electerm_install_script_CommandInjection Vulnerability Report
Critical
CVE-2026-41500
was published
for
electerm
(npm)
Apr 16, 2026
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
High
CVE-2026-33318
was published
for
@actual-app/sync-server
(npm)
Apr 23, 2026
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Critical
CVE-2026-41264
was published
for
flowise
(npm)
Apr 21, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Moderate
CVE-2026-41240
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Moderate
CVE-2026-41238
was published
for
dompurify
(npm)
Apr 22, 2026
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Critical
CVE-2026-41478
was published
for
@saltcorn/server
(npm)
Apr 16, 2026
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
Critical
CVE-2026-41428
was published
for
@budibase/backend-core
(npm)
Apr 16, 2026
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
High
CVE-2026-41423
was published
for
@angular/platform-server
(npm)
Apr 16, 2026
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Critical
CVE-2026-41679
was published
for
@paperclipai/server
(npm)
Apr 10, 2026
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
High
CVE-2026-40879
was published
for
@nestjs/microservices
(npm)
Apr 14, 2026
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
High
CVE-2026-41270
was published
for
flowise
(npm)
Apr 16, 2026
Official Clerk JavaScript SDKs: Middleware-based route protection bypass
Critical
CVE-2026-41248
was published
for
@clerk/astro
(npm)
Apr 16, 2026
Mojic: Observable Timing Discrepancy in HMAC Verification
Moderate
CVE-2026-41244
was published
for
mojic
(npm)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API