Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
912
pip
4,768
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

427 advisories

Loading
Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME High
GHSA-33r3-4whc-44c2 was published for vite-plus (npm) Apr 16, 2026
Jvr2022 Credited to Jvr2022
Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read High
CVE-2026-40163 was published for @saltcorn/server (npm) Apr 10, 2026
axel-corsiez Credited to axel-corsiez
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read Moderate
CVE-2026-39859 was published for liquidjs (npm) Apr 8, 2026
Ryu7zz Credited to Ryu7zz
Hono: Path traversal in toSSG() allows writing files outside the output directory Moderate
CVE-2026-39408 was published for hono (npm) Apr 8, 2026
r74tech Credited to r74tech
Hono: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39407 was published for hono (npm) Apr 8, 2026
blakeembrey Credited to blakeembrey
@hono/node-server: Middleware bypass via repeated slashes in serveStatic Moderate
CVE-2026-39406 was published for @hono/node-server (npm) Apr 8, 2026
coursevault-preview has a path traversal due to improper base-directory boundary validation Moderate
CVE-2026-35613 was published for coursevault-preview (npm) Apr 8, 2026
moritzmyrz Credited to moritzmyrz and KevinJohannesen KevinJohannesen KevinJohannesen
OpenClaw: QQ Bot structured payloads could read arbitrary local files Moderate
GHSA-846p-hgpv-vphc was published for openclaw (npm) Apr 7, 2026
feiyang666 Credited to feiyang666
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped Moderate
GHSA-m34q-h93w-vg5x was published for openclaw (npm) Apr 7, 2026
jufeng123768 Credited to jufeng123768
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling Moderate
CVE-2026-39365 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, Ochk0, and bluwy Ochk0 Ochk0
bluwy bluwy
Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write High
CVE-2026-35214 was published for @budibase/server (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read Moderate
GHSA-58q2-7r52-jq62 was published for openclaw (npm) Apr 3, 2026
north-echo Credited to north-echo
OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read High
GHSA-f6pf-4gjx-c94r was published for openclaw (npm) Apr 3, 2026
wsparks-vc Credited to wsparks-vc and iskindar iskindar iskindar
Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints Moderate
CVE-2026-34750 was published for @payloadcms/storage-azure (npm) Apr 1, 2026
SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root High
CVE-2026-34524 was published for sillytavern (npm) Apr 1, 2026
maru1009 Credited to maru1009
SillyTavern: Path Traversal allows file existence oracle Moderate
CVE-2026-34523 was published for sillytavern (npm) Apr 1, 2026
kirakira-dev Credited to kirakira-dev
SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory High
CVE-2026-34522 was published for sillytavern (npm) Apr 1, 2026
maru1009 Credited to maru1009
Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories Moderate
CVE-2026-34451 was published for @anthropic-ai/sdk (npm) Apr 1, 2026
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions High
CVE-2026-34604 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions High
CVE-2026-34603 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation High
CVE-2026-33581 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image Moderate
GHSA-qf48-qfv4-jjm9 was published for openclaw (npm) Mar 31, 2026
ADumpling Credited to ADumpling
Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation High
GHSA-3gr8-2752-h46q was published for openclaw (npm) Mar 31, 2026 withdrawn
OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22) High
CVE-2026-35668 was published for openclaw (npm) Mar 30, 2026
YLChen-007 Credited to YLChen-007
@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files High
CVE-2026-33949 was published for @tinacms/graphql (npm) Mar 30, 2026
aarjubh Credited to aarjubh
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database