Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,087
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,414
Swift
61
Unreviewed advisories
All unreviewed
5,000+

29 advisories

Loading
Arbitrary Code Execution in mathjs Critical
CVE-2017-1001003 was published for mathjs (npm) Dec 18, 2017
Prototype Pollution in mixin-deep Critical
CVE-2019-10746 was published for mixin-deep (npm) Aug 27, 2019
Null characters not escaped High
CVE-2021-21384 was published for shescape (npm) Mar 18, 2021
Command injection in nodemailer Critical
CVE-2020-7769 was published for nodemailer (npm) May 10, 2021
Remote command injection when using sendmail email transport Moderate
GHSA-wfrj-qqc2-83cm was published for ghost (npm) Sep 20, 2021
tdunlap607 Credited to tdunlap607
Command injection in simple-git High
CVE-2022-24066 was published for simple-git (npm) Apr 2, 2022
lirantal Credited to lirantal and rhelinko-telia rhelinko-telia rhelinko-telia
Command injection in git-interface Critical
CVE-2022-1440 was published for git-interface (npm) Apr 23, 2022
lirantal Credited to lirantal
OS Command Injection in git-promise High
CVE-2022-24376 was published for git-promise (npm) Jun 11, 2022
lirantal Credited to lirantal
Command injection in git-clone High
CVE-2022-25900 was published for git-clone (npm) Jul 2, 2022
lirantal Credited to lirantal
mc-kill-port vulnerable to Arbitrary Command Execution via kill function High
CVE-2022-25973 was published for mc-kill-port (npm) Aug 11, 2022
blamer vulnerable to Arbitrary Argument Injection via the blameByFile() API Moderate
CVE-2023-26143 was published for blamer (npm) Sep 19, 2023
lirantal Credited to lirantal
git-shallow-clone Argument Injection vulnerability Moderate
CVE-2024-21531 was published for git-shallow-clone (npm) Oct 1, 2024
dsimk Credited to dsimk
ggit is vulnerable to Arbitrary Argument Injection via the clone() API Moderate
CVE-2024-21533 was published for ggit (npm) Oct 8, 2024
lirantal Credited to lirantal
Matrix IRC Bridge allows IRC command injection to own puppeted user Low
CVE-2025-27146 was published for matrix-appservice-irc (npm) Feb 25, 2025
funderscore1 Credited to funderscore1
@conventional-changelog/git-client has Argument Injection vulnerability Moderate
CVE-2025-59433 was published for @conventional-changelog/git-client (npm) Sep 22, 2025
lirantal Credited to lirantal
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand High
CVE-2025-12613 was published for cloudinary (npm) Nov 10, 2025
OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes High
CVE-2026-28470 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments High
CVE-2026-22168 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
CVE-2026-29608 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts Moderate
GHSA-g87j-gm7p-6vw2 was published for openclaw (npm) Mar 19, 2026 withdrawn
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference High
CVE-2026-34769 was published for electron (npm) Apr 3, 2026
skilleton has improper input handling in repository/path processing Moderate
GHSA-5g3j-89fr-r2vp was published for skilleton (npm) Apr 8, 2026
SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh High
GHSA-p4h8-56qp-hpgv was published for @aiondadotcom/mcp-ssh (npm) Apr 14, 2026
MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting High
CVE-2026-39884 was published for mcp-server-kubernetes (npm) Apr 14, 2026
TharVid Credited to TharVid
exiftool-vendored vulnerable to argument injection via newline characters in tag names High
CVE-2026-43893 was published for exiftool-vendored (npm) May 5, 2026
Dobby153 Credited to Dobby153
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database