Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

15 advisories

Loading
Insufficient Verification of Data Authenticity in Eclipse Theia High
CVE-2019-17636 was published for @theia/mini-browser (npm) Apr 13, 2021
Auth0 Passport-SharePoint does not validate JWT signature High
CVE-2019-13483 was published for passport-sharepoint (npm) May 24, 2022
json-web-token library is vulnerable to a JWT algorithm confusion attack High
CVE-2023-48238 was published for json-web-token (npm) Nov 17, 2023
PinkDraconian Credited to PinkDraconian
In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists High
CVE-2024-30250 was published for @kindspells/astro-shield (npm) Apr 1, 2024
castarco Credited to castarco
@clerk/backend Performs Insufficient Verification of Data Authenticity High
CVE-2025-53548 was published for @clerk/astro (npm) Jul 9, 2025
GautierT Credited to GautierT
React Router allows pre-render data spoofing on React-Router framework mode High
CVE-2025-43865 was published for react-router (npm) Apr 24, 2025
cold-try Credited to cold-try and mhassan1 mhassan1 mhassan1
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker Credited to anbecker
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
OneUptime WhatsApp Webhook Missing Signature Verification High
CVE-2026-33143 was published for oneuptime (npm) Mar 18, 2026
n0rv-TvT Credited to n0rv-TvT
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
CVE-2026-34511 was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database