GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
29,124 advisories
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding
Low
GHSA-r7w7-9xr2-qq2r
was published
for
langchain-openai
(pip)
Apr 16, 2026
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass
Moderate
GHSA-fv5p-p927-qmxr
was published
for
langchain-text-splitters
(pip)
Apr 16, 2026
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Critical
GHSA-jp74-mfrx-3qvh
was published
for
@saltcorn/server
(npm)
Apr 16, 2026
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise
Critical
GHSA-3xx2-mqjm-hg9x
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
Moderate
GHSA-fpw4-p57j-hqmq
was published
for
@paperclipai/ui
(npm)
Apr 16, 2026
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server
Moderate
GHSA-p7mm-r948-4q3q
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys
Critical
GHSA-47wq-cj9q-wpmp
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: OS Command Injection via Execution Workspace cleanupCommand
Critical
GHSA-vr7g-88fq-vhq3
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email
High
GHSA-gqqj-85qm-8qhf
was published
for
paperclipai
(npm)
Apr 16, 2026
Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
High
GHSA-xfqj-r5qw-8g4j
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution
High
GHSA-265w-rf2w-cjh4
was published
for
@paperclipai/server
(npm)
Apr 16, 2026
Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath
Moderate
GHSA-3pw3-v88x-xj24
was published
for
@paperclipai/shared
(npm)
Apr 16, 2026
OAuth 2.1 Provider: Unprivileged users can register OAuth clients
High
GHSA-xr8f-h2gw-9xh6
was published
for
@better-auth/oauth-provider
(npm)
Apr 16, 2026
Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
Critical
GHSA-8783-3wgf-jggf
was published
for
@budibase/backend-core
(npm)
Apr 16, 2026
Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
High
GHSA-45q2-gjvg-7973
was published
for
@angular/platform-server
(npm)
Apr 16, 2026
Arbitrary code execution in protobufjs
Critical
GHSA-xq3m-2v4x-88gg
was published
for
protobufjs
(npm)
Apr 16, 2026
@fastify/static vulnerable to path traversal in directory listing
Moderate
CVE-2026-6410
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/static vulnerable to route guard bypass via encoded path separators
Moderate
CVE-2026-6414
was published
for
@fastify/static
(npm)
Apr 16, 2026
@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes
Critical
CVE-2026-6270
was published
for
@fastify/middie
(npm)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API