Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

6,769 advisories

Loading
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header High
CVE-2026-55501 was published for 9router (npm) Jul 6, 2026
dinhvaren Credited to dinhvaren
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats Critical
GHSA-vjc7-jrh9-9j86 was published for 9router (npm) Jul 6, 2026
newnol Credited to newnol
Decompress: Archive extraction can create files and links outside of the target directory Critical
CVE-2026-53486 was published for @xhmikosr/decompress (npm) Jul 6, 2026
XhmikosR Credited to XhmikosR
SnailSploit Credited to SnailSploit and 0xShemesh 0xShemesh 0xShemesh
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass Critical
CVE-2026-49352 was published for 9router (npm) Jul 2, 2026
kaito7926 Credited to kaito7926
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation Moderate
GHSA-x4hg-hfwf-p9mw was published for @asymmetric-effort/nogginlessdom (npm) Jul 2, 2026
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write High
GHSA-322x-v876-g883 was published for @asymmetric-effort/nogginlessdom (npm) Jul 2, 2026
9router: Missing Authorization and OS Command Injection Critical
GHSA-g6g7-pvmx-m74p was published for 9router (npm) Jul 2, 2026
vcth4nh Credited to vcth4nh and Ductinn Ductinn Ductinn
nimonian Credited to nimonian
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion High
CVE-2026-52746 was published for jsonata (npm) Jul 2, 2026
peaktwilight Credited to peaktwilight
electerm has Command Injection in File System Operations (rmrf, mv, cp) High
CVE-2026-49255 was published for electerm (npm) Jul 2, 2026
hibrian827 Credited to hibrian827
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling High
CVE-2026-49253 was published for electerm (npm) Jul 2, 2026
hibrian827 Credited to hibrian827
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields High
CVE-2026-49250 was published for @conform-to/dom (npm) Jul 2, 2026
jviide Credited to jviide
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString Moderate
CVE-2026-50290 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch Moderate
GHSA-j5qp-p44g-2m49 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction Moderate
GHSA-2944-57xv-2682 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range) Moderate
GHSA-xw57-23p8-9wc5 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state Moderate
GHSA-qcr8-x557-7cp3 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection Moderate
GHSA-5c7w-4wm3-85vw was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request High
CVE-2026-50288 was published for @asymmetric-effort/specifyjs (npm) Jul 2, 2026
OpenClaw: Native command authorization could skip owner-command enforcement High
GHSA-p73f-w79w-jqr5 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks High
GHSA-j472-gf56-x589 was published for openclaw (npm) Jul 2, 2026
YLChen-007 Credited to YLChen-007
ProTip! Advisories are also available from the GraphQL API