Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,549
Maven
5,000+
npm
5,000+
NuGet
917
pip
4,798
Pub
13
RubyGems
1,038
Rust
1,237
Swift
53
Unreviewed advisories
All unreviewed
5,000+

135 advisories

Loading
Kimai: Username enumeration via timing on X-AUTH-USER Low
GHSA-jrc6-fmhw-fpq2 was published for kimai/kimai (Composer) Apr 17, 2026
melnicek Credited to melnicek
Mojic: Observable Timing Discrepancy in HMAC Verification Moderate
GHSA-wqq3-wfmp-v85g was published for mojic (npm) Apr 16, 2026
notamitgamer2 Credited to notamitgamer2 and notamitgamer notamitgamer notamitgamer
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint Low
CVE-2026-33877 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
Sync-in Server has Username Enumeration via Timing Attack Moderate
GHSA-43fj-qp3h-hrh5 was published for @sync-in/server (npm) Apr 15, 2026
ppfeister Credited to ppfeister and 7185 7185 7185
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For... High Unreviewed
CVE-2026-5086 was published Apr 14, 2026
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel Low
CVE-2026-40263 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
Parse Server has a login timing side-channel reveals user existence Moderate
CVE-2026-39321 was published for parse-server (npm) Apr 8, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
OpenClaw: Shared-secret comparison call sites leaked length information through timing Moderate
GHSA-jj6q-rrrf-h66h was published for openclaw (npm) Apr 7, 2026
kexinoh Credited to kexinoh
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel Moderate
GHSA-7789-65hx-f26w was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 24, 2026
mdcoxe Credited to mdcoxe
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration Moderate
CVE-2026-32595 was published for github.com/traefik/traefik (Go) Mar 20, 2026
f1veT Credited to f1veT
phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack High
CVE-2026-32935 was published for phpseclib/phpseclib (Composer) Mar 19, 2026
h3 has an observable timing discrepancy in basic auth utils Moderate
CVE-2026-33129 was published for h3 (npm) Mar 18, 2026
simonkoeck Credited to simonkoeck
@perfood/couch-auth has an Observable Timing Discrepancy High
CVE-2025-70949 was published for @perfood/couch-auth (npm) Mar 5, 2026
AWS-LC has Timing Side-Channel in AES-CCM Tag Verification High
GHSA-65p9-r9h6-22vj was published for aws-lc-fips-sys (Rust) Mar 3, 2026
OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check Moderate
GHSA-h656-5vcf-cm23 was published for openclaw (npm) Mar 3, 2026
v8hid Credited to v8hid
OpenClaw has non-constant-time token comparison in hooks authentication High
CVE-2026-28464 was published for openclaw (npm) Mar 2, 2026
akhmittra Credited to akhmittra
OpenClaw: Config writes could persist resolved ${VAR} secrets to disk Moderate
CVE-2026-28475 was published for openclaw (npm) Mar 2, 2026
Abeyron Credited to Abeyron
In drawLayersInternal of SkiaRenderEngine.cpp, there is a possible way to access the GPU cache... High Unreviewed
CVE-2025-48630 was published Mar 2, 2026
OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function Moderate
CVE-2026-26717 was published for richie (pip) Feb 25, 2026
Hono added timing comparison hardening in basicAuth and bearerAuth Low
GHSA-gq3j-xvxp-8hrf was published for hono (npm) Feb 19, 2026
Exagone313 Credited to Exagone313
Apache Shiro Affected by an Observable Timing Discrepancy Vulnerability Low
CVE-2026-23901 was published for org.apache.shiro:shiro-core (Maven) Feb 10, 2026
PrestaShop affected by time based enumeration in FO login form Moderate
CVE-2026-25597 was published for prestashop/prestashop (Composer) Feb 3, 2026
Django has Observable Timing Discrepancy Low
CVE-2025-13473 was published for Django (pip) Feb 3, 2026
OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication Moderate
CVE-2026-23892 was published for OctoPrint (pip) Jan 27, 2026
yueyueL Credited to yueyueL
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database