GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
2,050 advisories
OpenClaw: Agent gateway config mutations could change protected operator settings
Moderate
GHSA-7jm2-g593-4qrc
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy
Moderate
GHSA-qrp5-gfw2-gxv4
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
Moderate
GHSA-h2vw-ph2c-jvwf
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config
Moderate
GHSA-mj59-h3q9-ghfh
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Workspace dotenv could override runtime-control environment variables
Moderate
GHSA-hxvm-xjvf-93f3
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy
Moderate
GHSA-72q8-jcmc-97wx
was published
for
openclaw
(npm)
Apr 25, 2026
OpenClaw: Hook mapping templates could bypass hook session-key opt-in
Moderate
GHSA-2xcp-x87w-q377
was published
for
openclaw
(npm)
Apr 25, 2026
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
Moderate
GHSA-wg4g-395p-mqv3
was published
for
n8n-mcp
(npm)
Apr 25, 2026
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
Moderate
GHSA-m2m6-cff5-3w7c
was published
for
rwsdk
(npm)
Apr 24, 2026
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Moderate
CVE-2026-41305
was published
for
postcss
(npm)
Apr 24, 2026
Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
Moderate
CVE-2026-41322
was published
for
@astrojs/node
(npm)
Apr 23, 2026
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
Moderate
CVE-2026-41495
was published
for
n8n-mcp
(npm)
Apr 23, 2026
Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations
Moderate
GHSA-2cjr-5v3h-v2w4
was published
for
@evomap/evolver
(npm)
Apr 22, 2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Moderate
GHSA-w5hq-g745-h8pq
was published
for
uuid
(npm)
Apr 22, 2026
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
Moderate
CVE-2026-41650
was published
for
fast-xml-parser
(npm)
Apr 22, 2026
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
Moderate
CVE-2026-41591
was published
for
@marko/runtime-tags
(npm)
Apr 22, 2026
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Moderate
CVE-2026-41240
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Moderate
CVE-2026-41239
was published
for
dompurify
(npm)
Apr 22, 2026
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Moderate
CVE-2026-41238
was published
for
dompurify
(npm)
Apr 22, 2026
Astro: XSS in define:vars via incomplete </script> tag sanitization
Moderate
CVE-2026-41067
was published
for
astro
(npm)
Apr 21, 2026
ProTip!
Advisories are also available from the
GraphQL API