Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

214 advisories

Loading
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into... Low Unreviewed
CVE-2026-41000 was published Jun 11, 2026
Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token High
CVE-2026-45720 was published for github.com/siderolabs/omni (Go) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber +... Moderate Unreviewed
CVE-2026-49322 was published May 29, 2026
Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay... High Unreviewed
CVE-2026-9095 was published May 28, 2026
Keycloak: Unauthorized account takeover via WebAuthn token replay Moderate
CVE-2026-37982 was published for org.keycloak:keycloak-services (Maven) May 19, 2026
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS Moderate
GHSA-rc6v-5rmx-w5mv was published for github.com/arnika-project/arnika (Go) May 15, 2026
dpolzoni Credited to dpolzoni and nean-and-i nean-and-i nean-and-i
Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest**... Moderate Unreviewed
CVE-2026-7168 was published May 13, 2026
Keylime has a hardcoded attestation challenge nonce that allows replay attacks Moderate
CVE-2026-6420 was published for keylime (pip) May 11, 2026
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
Duplicate Advisory: OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Moderate
GHSA-m958-864j-xq5w was published for openclaw (npm) Apr 24, 2026 withdrawn
OpenClaw: Feishu webhook and card-action validation now fail closed Critical
CVE-2026-44109 was published for openclaw (npm) Apr 17, 2026
dhyabi2 Credited to dhyabi2
Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants High
GHSA-j56c-wpqm-h24x was published for openclaw (npm) Apr 10, 2026 withdrawn
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection.... High Unreviewed
CVE-2026-30080 was published Apr 8, 2026
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Moderate
CVE-2026-41351 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass Low
CVE-2026-41402 was published for openclaw (npm) Apr 2, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection Moderate
CVE-2026-41337 was published for openclaw (npm) Apr 2, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering High
CVE-2026-41395 was published for openclaw (npm) Mar 31, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing... Critical Unreviewed
CVE-2026-32987 was published Mar 29, 2026
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
mppx has multiple payment bypass and griefing vulnerabilities Critical
GHSA-8x4m-qw58-3pcx was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality High
CVE-2026-34209 was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth... Moderate Unreviewed
CVE-2026-27855 was published Mar 27, 2026
OpenClaw: Plivo V2 verified replay identity drifts on query-only variants High
CVE-2026-35618 was published for openclaw (npm) Mar 26, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse Moderate
GHSA-3r78-rqg8-95gg was published for openclaw (npm) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing Moderate
GHSA-866c-wwm5-4rj7 was published for openclaw (npm) Mar 19, 2026 withdrawn
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database