GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
5,035 advisories
simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
Critical
CVE-2026-28292
was published
for
simple-git
(npm)
Mar 10, 2026
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Critical
CVE-2026-31840
was published
for
parse-server
(npm)
Mar 10, 2026
StudioCMS has Privilege Escalation via Insecure API Token Generation
High
CVE-2026-30944
was published
for
studiocms
(npm)
Mar 10, 2026
OneUptime has WhatsApp Resend Verification Authorization Bypass
Moderate
CVE-2026-30959
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
Critical
CVE-2026-30957
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Critical
CVE-2026-30956
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
liquidjs has a path traversal fallback vulnerability
High
CVE-2026-30952
was published
for
liquidjs
(npm)
Mar 10, 2026
Actual Sync Server has an Authenticated Path Traversal
Moderate
CVE-2026-3089
was published
for
@actual-app/sync-server
(npm)
Mar 10, 2026
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
High
CVE-2026-30939
was published
for
parse-server
(npm)
Mar 10, 2026
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Moderate
CVE-2026-30938
was published
for
parse-server
(npm)
Mar 10, 2026
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
High
CVE-2026-30925
was published
for
parse-server
(npm)
Mar 10, 2026
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
Moderate
GHSA-9q36-67vc-rrwg
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: system.run allow-always persistence included shell-commented payload tails
Moderate
GHSA-9q2p-vc84-2rwm
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: `operator.write` chat.send could reach admin-only config writes
Moderate
GHSA-hfpr-jhpq-x4rm
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: system.run wrapper-depth boundary could skip shell approval gating
Moderate
GHSA-r6qf-8968-wj9q
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects
High
GHSA-6mgf-v5j7-45cr
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping
Moderate
GHSA-pjvx-rx66-r3fg
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
Moderate
GHSA-3h2q-j2v4-6w5r
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots
Moderate
GHSA-j425-whc4-4jgc
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's hooks count non-POST requests toward auth lockout
Moderate
GHSA-6rmx-gvvg-vh6j
was published
for
openclaw
(npm)
Mar 9, 2026
OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage
High
GHSA-rchv-x836-w7xp
was published
for
openclaw
(npm)
Mar 9, 2026
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Critical
CVE-2026-30863
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Moderate
CVE-2026-30854
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Moderate
CVE-2026-30850
was published
for
parse-server
(npm)
Mar 9, 2026
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Moderate
CVE-2026-30848
was published
for
parse-server
(npm)
Mar 9, 2026
ProTip!
Advisories are also available from the
GraphQL API