GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,260
Maven
5,000+
npm
5,000+
NuGet
1,029
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,483
Swift
61
Unreviewed advisories
All unreviewed
5,000+
6,769 advisories
Filter by severity
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
High
CVE-2026-55501
was published
for
9router
(npm)
Jul 6, 2026
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Critical
CVE-2026-55500
was published
for
9router
(npm)
Jul 6, 2026
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Critical
GHSA-vjc7-jrh9-9j86
was published
for
9router
(npm)
Jul 6, 2026
Decompress: Archive extraction can create files and links outside of the target directory
Critical
CVE-2026-53486
was published
for
@xhmikosr/decompress
(npm)
Jul 6, 2026
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
High
CVE-2026-49353
was published
for
9router
(npm)
Jul 2, 2026
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
Critical
CVE-2026-49352
was published
for
9router
(npm)
Jul 2, 2026
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Moderate
GHSA-x4hg-hfwf-p9mw
was published
for
@asymmetric-effort/nogginlessdom
(npm)
Jul 2, 2026
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
High
GHSA-322x-v876-g883
was published
for
@asymmetric-effort/nogginlessdom
(npm)
Jul 2, 2026
9router: Missing Authorization and OS Command Injection
Critical
GHSA-g6g7-pvmx-m74p
was published
for
9router
(npm)
Jul 2, 2026
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
Moderate
GHSA-gj2h-2fpw-fhv9
was published
for
@nuxt/ui
(npm)
Jul 2, 2026
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion
High
CVE-2026-52746
was published
for
jsonata
(npm)
Jul 2, 2026
Grackle: Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)
High
GHSA-f9ff-5x35-7gfw
was published
for
@grackle-ai/auth
(npm)
Jul 2, 2026
electerm has Command Injection in File System Operations (rmrf, mv, cp)
High
CVE-2026-49255
was published
for
electerm
(npm)
Jul 2, 2026
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling
High
CVE-2026-49253
was published
for
electerm
(npm)
Jul 2, 2026
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields
High
CVE-2026-49250
was published
for
@conform-to/dom
(npm)
Jul 2, 2026
Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)
High
GHSA-vv65-f55v-xm6g
was published
for
@grackle-ai/powerline
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString
Moderate
CVE-2026-50290
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Moderate
GHSA-j5qp-p44g-2m49
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Moderate
GHSA-2944-57xv-2682
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Moderate
GHSA-xw57-23p8-9wc5
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
Moderate
GHSA-qcr8-x557-7cp3
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection
Moderate
GHSA-5c7w-4wm3-85vw
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
@asymmetric-effort/specifyjs: URL parse failure silently allows request
High
CVE-2026-50288
was published
for
@asymmetric-effort/specifyjs
(npm)
Jul 2, 2026
OpenClaw: Native command authorization could skip owner-command enforcement
High
GHSA-p73f-w79w-jqr5
was published
for
openclaw
(npm)
Jul 2, 2026
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
High
GHSA-j472-gf56-x589
was published
for
openclaw
(npm)
Jul 2, 2026
ProTip!
Advisories are also available from the
GraphQL API