Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

645 advisories

Loading
goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files Critical
CVE-2026-31843 was published for goodoneuz/pay-uz (Composer) Apr 16, 2026
wger has Broken Access Control in Global Gym Configuration Update Endpoint High
CVE-2026-40474 was published for wger (pip) Apr 16, 2026
VashuVats Credited to VashuVats
October Rain has a Twig Sandbox Bypass via Collection Methods Moderate
CVE-2026-22692 was published for october/rain (Composer) Apr 14, 2026
lukasz-rybak Credited to lukasz-rybak and daftspunk daftspunk daftspunk
GenieACS has an unauthenticated access vulnerability via the NBI API endpoint High
CVE-2025-56015 was published for genieacs (npm) Apr 7, 2026
Local settings bypass config trust checks High
CVE-2026-35533 was published for mise (Rust) Apr 7, 2026
kq5y Credited to kq5y
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch Moderate
CVE-2026-41398 was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr High
CVE-2026-34444 was published for lupa (pip) Apr 7, 2026
redyank Credited to redyank
Vite: `server.fs.deny` bypassed with queries High
CVE-2026-39364 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, ritikchaddha, neo-ai-engineer, instantraaamen, fg0x0, jonathanwd, kq5y, and bluwy ritikchaddha ritikchaddha
neo-ai-engineer neo-ai-engineer instantraaamen instantraaamen fg0x0 fg0x0 jonathanwd jonathanwd kq5y kq5y bluwy bluwy
Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation High
CVE-2026-35172 was published for github.com/distribution/distribution (Go) Apr 6, 2026
1seal Credited to 1seal
Directus: Path Traversal and Broken Access Control in File Management API High
CVE-2026-39942 was published for directus (npm) Apr 4, 2026
r3dpower Credited to r3dpower, pmins99, and odgrso pmins99 pmins99
odgrso odgrso
Signal K Server: Unauthenticated Source Priorities Manipulation Moderate
CVE-2026-33951 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) High
CVE-2026-34572 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend
CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw) High
CVE-2026-34570 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard Moderate
CVE-2026-34733 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset` High
GHSA-5r8f-96gm-5j6g was published for openclaw (npm) Apr 1, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` Moderate
CVE-2026-41344 was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess High
CVE-2026-34381 was published for admidio/admidio (Composer) Mar 31, 2026
JFOZ1010 Credited to JFOZ1010
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope Moderate
CVE-2026-35619 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic Moderate
CVE-2026-33726 was published for github.com/cilium/cilium (Go) Mar 26, 2026
Champ-Goblem Credited to Champ-Goblem, sudeephb, julianwiedmann, and smagnani96 sudeephb sudeephb
julianwiedmann julianwiedmann smagnani96 smagnani96
@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool High
GHSA-647h-p824-99w7 was published for @grackle-ai/mcp (npm) Mar 25, 2026
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature High
CVE-2026-32299 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false Moderate
CVE-2026-4628 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
dnegreira Credited to dnegreira
langflow has Unauthenticated IDOR on Image Downloads High
CVE-2026-33484 was published for langflow (pip) Mar 20, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, and andifilhohub abhinavagarwal07 abhinavagarwal07
andifilhohub andifilhohub
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection Critical
CVE-2026-33478 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset and Marcono1234 Marcono1234 Marcono1234
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database