Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,521
Maven
5,000+
npm
5,000+
NuGet
912
pip
4,768
Pub
13
RubyGems
1,036
Rust
1,229
Swift
53
Unreviewed advisories
All unreviewed
5,000+

59 advisories

Loading
OpenClaw: Forged Nostr DMs could create pairing state before signature verification Moderate
GHSA-h43v-27wg-5mf9 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
StableLib Ed25519 Signature Malleability via Missing S < L Check Moderate
GHSA-x3ff-w252-2g7j was published for @stablelib/ed25519 (npm) Apr 1, 2026
kodareef5 Credited to kodareef5
Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
GHSA-vjqw-w5jr-g9w5 was published for openclaw (npm) Mar 29, 2026 withdrawn
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.setPublic High
CVE-2026-4600 was published for jsrsasign (npm) Mar 23, 2026
sjcl is missing point-on-curve validation in sjcl.ecc.basicKey.publicKey High
CVE-2026-4258 was published for sjcl (npm) Mar 17, 2026
wmorland Credited to wmorland
OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
CVE-2026-32974 was published for openclaw (npm) Mar 13, 2026
lintsinghua Credited to lintsinghua
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation Low
CVE-2026-22866 was published for @ensdomains/ens-contracts (npm) Feb 25, 2026
dcap-qvl has Missing Verification for QE Identity Critical
CVE-2026-22696 was published for @phala/dcap-qvl (npm) Jan 26, 2026
sm-crypto Affected by Signature Forgery in SM2-DSA High
CVE-2026-23965 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam Credited to XlabAITeam, A7um, tl2cents, and keenanwgn A7um A7um
tl2cents tl2cents keenanwgn keenanwgn
sm-crypto Affected by Signature Malleability in SM2-DSA High
CVE-2026-23967 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam Credited to XlabAITeam, A7um, tl2cents, and keenanwgn A7um A7um
tl2cents tl2cents keenanwgn keenanwgn
Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks "alg" (untrusted header.alg fallback) High
CVE-2026-22818 was published for hono (npm) Jan 13, 2026
calloc134 Credited to calloc134 and devanshbatham devanshbatham devanshbatham
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass High
CVE-2026-22817 was published for hono (npm) Jan 13, 2026
calloc134 Credited to calloc134 and devanshbatham devanshbatham devanshbatham
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay Moderate
CVE-2025-68113 was published for altcha (RubyGems) Dec 16, 2025
eternal-flame-AD Credited to eternal-flame-AD
auth0/node-jws Improperly Verifies HMAC Signature High
CVE-2025-65945 was published for jws (npm) Dec 4, 2025
Sideni Credited to Sideni
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate High
CVE-2025-59288 was published for playwright (npm) Oct 14, 2025
JLLeitschuh Credited to JLLeitschuh
Node-SAML SAML Signature Verification Vulnerability Critical
CVE-2025-54419 was published for @node-saml/node-saml (npm) Jul 28, 2025
ahacker1-securesaml Credited to ahacker1-securesaml and cjbarth cjbarth cjbarth
Node-SAML SAML Authentication Bypass Critical
CVE-2025-54369 was published for @node-saml/node-saml (npm) Jul 25, 2025
ahacker1-securesaml Credited to ahacker1-securesaml and cjbarth cjbarth cjbarth
tiny-secp256k1 allows for verify() bypass when running in bundled environment High
CVE-2024-49365 was published for tiny-secp256k1 (npm) Jun 30, 2025
ChALkeR Credited to ChALkeR and jprichardson jprichardson jprichardson
samlify SAML Signature Wrapping attack Critical
CVE-2025-47949 was published for samlify (npm) May 19, 2025
ahacker1-securesaml Credited to ahacker1-securesaml
OpenPGP.js's message signature verification can be spoofed High
CVE-2025-47934 was published for openpgp (npm) May 19, 2025
CodeanIO Credited to CodeanIO
Passport-wsfed-saml2 allows SAML Authentication Bypass via Signature Wrapping Critical
CVE-2025-46572 was published for passport-wsfed-saml2 (npm) May 6, 2025
xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment Critical
CVE-2025-29775 was published for xml-crypto (npm) Mar 14, 2025
ahacker1-securesaml Credited to ahacker1-securesaml, marktran, mattgd, blairworkos, mthadley, nickcollisson-workos, and latacora-paul marktran marktran
mattgd mattgd blairworkos blairworkos mthadley mthadley nickcollisson-workos nickcollisson-workos latacora-paul latacora-paul
xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References Critical
CVE-2025-29774 was published for xml-crypto (npm) Mar 14, 2025
mattgd Credited to mattgd, blairworkos, mthadley, nickcollisson-workos, latacora-paul, ahacker1-securesaml, and marktran blairworkos blairworkos
mthadley mthadley nickcollisson-workos nickcollisson-workos latacora-paul latacora-paul ahacker1-securesaml ahacker1-securesaml marktran marktran
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database