Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

645 advisories

Loading
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens High
CVE-2026-44118 was published for openclaw (npm) May 4, 2026
VladimirEliTokarev Credited to VladimirEliTokarev
Funadmin has an Improper Access Control Issue Moderate
CVE-2026-7733 was published for funadmin/funadmin (Composer) May 4, 2026
MindsDB has an Improper Access Control Issue Moderate
CVE-2026-7711 was published for MindsDB (pip) May 4, 2026
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field Moderate
CVE-2026-32699 was published for facturascripts/facturascripts (Composer) Apr 28, 2026
TurkiOS Credited to TurkiOS
Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration Moderate
CVE-2026-40966 was published for org.springframework.ai:spring-ai-advisors-vector-store (Maven) Apr 28, 2026
OpenClaw: Paired-device pairing actions were not limited to the caller device Low
GHSA-xrq9-jm7v-g9h7 was published for openclaw (npm) Apr 25, 2026
Hinotoi-agent Credited to Hinotoi-agent
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources High
CVE-2026-42205 was published for avo (RubyGems) Apr 24, 2026
xIllunight Credited to xIllunight
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment High
CVE-2026-41900 was published for openlearnx (npm) Apr 23, 2026
krrazee Credited to krrazee, 0x5t4l1n, and harriiinnii 0x5t4l1n 0x5t4l1n
harriiinnii harriiinnii
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers High
CVE-2026-33318 was published for @actual-app/sync-server (npm) Apr 23, 2026
Rex50527 Credited to Rex50527 and MatissJanis MatissJanis MatissJanis
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call High
CVE-2026-41641 was published for @nocobase/plugin-collection-sql (npm) Apr 22, 2026
p80n-sec Credited to p80n-sec
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
OpenRemote has Improper Access Control via updateUserRealmRoles function High
CVE-2026-41166 was published for io.openremote:openremote-manager (Maven) Apr 22, 2026
KKC73 Credited to KKC73
Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules High
CVE-2026-22754 was published for org.springframework.security:spring-security-config (Maven) Apr 22, 2026
Neko has a Self-service Privilege Escalation for Authenticated Users High
CVE-2026-39386 was published for github.com/m1k1o/neko/server (Go) Apr 21, 2026
blitzkrieg-patch Credited to blitzkrieg-patch
OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal High
CVE-2026-35570 was published for @gitlawb/openclaude (npm) Apr 21, 2026
Rickidevs Credited to Rickidevs
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens High
CVE-2026-33031 was published for github.com/0xJacky/Nginx-UI (Go) Apr 21, 2026
jaehonam Credited to jaehonam
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API Moderate
CVE-2026-6596 was published for langflow-base (pip) Apr 20, 2026
Dapr: Service Invocation path traversal ACL bypass High
CVE-2026-41491 was published for github.com/dapr/dapr (Go) Apr 17, 2026
JoshVanL Credited to JoshVanL, cicoyle, and acroca cicoyle cicoyle
acroca acroca
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0 High
GHSA-525j-hqq2-66r4 was published for openclaw (npm) Apr 17, 2026
R1kko1337 Credited to R1kko1337
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR) High
CVE-2026-41277 was published for flowise (npm) Apr 17, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures Low
CVE-2026-35402 was published for mcp-neo4j-cypher (pip) Apr 17, 2026
yotampe-pluto Credited to yotampe-pluto
Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email High
GHSA-gqqj-85qm-8qhf was published for paperclipai (npm) Apr 16, 2026
madrobotnet Credited to madrobotnet
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox High
CVE-2026-41270 was published for flowise (npm) Apr 16, 2026
Sn1r Credited to Sn1r
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records Moderate
CVE-2026-40304 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
Weblate: Improper access control for pending tasks in API Low
CVE-2026-33212 was published for weblate (pip) Apr 16, 2026
nijel Credited to nijel
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database