GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
29,704 advisories
Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling
Critical
GHSA-8m29-fpq5-89jj
was published
for
zebra-script
(Rust)
Apr 18, 2026
Zebra has rk Identity Point Panic in Transaction Verification
Critical
GHSA-452v-w3gx-72wg
was published
for
zebra-chain
(Rust)
Apr 18, 2026
Wish has SCP Path Traversal that allows arbitrary file read/write
Critical
GHSA-xjvp-7243-rg9h
was published
for
charm.land/wish/v2
(Go)
Apr 18, 2026
Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass
Critical
GHSA-6g38-8j4p-j3pr
was published
for
github.com/nhost/nhost
(Go)
Apr 18, 2026
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Critical
GHSA-v38x-c887-992f
was published
for
flowise
(npm)
Apr 18, 2026
OpenClaw: Feishu webhook and card-action validation now fail closed
Critical
GHSA-xh72-v6v9-mwhc
was published
for
openclaw
(npm)
Apr 17, 2026
Remote Code Execution (RCE) via String Literal Injection into math-codegen
Critical
GHSA-p6x5-p4xf-cc4r
was published
for
math-codegen
(npm)
Apr 17, 2026
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
Critical
GHSA-9qhq-v63v-fv3j
was published
for
praisonai
(pip)
Apr 17, 2026
Sentry: Improper authentication on SAML SSO process allows user identity linking
Critical
CVE-2026-27197
was published
for
sentry
(pip)
Apr 17, 2026
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Critical
CVE-2026-23500
was published
for
dolibarr/dolibarr
(Composer)
Apr 17, 2026
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Critical
GHSA-jp74-mfrx-3qvh
was published
for
@saltcorn/server
(npm)
Apr 16, 2026
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise
Critical
GHSA-3xx2-mqjm-hg9x
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys
Critical
GHSA-47wq-cj9q-wpmp
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: OS Command Injection via Execution Workspace cleanupCommand
Critical
GHSA-vr7g-88fq-vhq3
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
Critical
GHSA-8783-3wgf-jggf
was published
for
@budibase/backend-core
(npm)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API