Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

478 advisories

Loading
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing... Moderate Unreviewed
CVE-2026-53830 was published Jun 13, 2026
OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked... Moderate Unreviewed
CVE-2026-53824 was published Jun 13, 2026
NocoDB: OAuth Tokens Persist Through Security Events Moderate
CVE-2026-53926 was published for nocodb (npm) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid... Moderate Unreviewed
CVE-2026-48726 was published Jun 1, 2026
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session... Moderate Unreviewed
CVE-2026-9802 was published May 28, 2026
Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows... Critical Unreviewed
CVE-2026-8670 was published May 26, 2026
NocoDB: Stale Auth Cache After API Token Deletion Low
CVE-2026-46554 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation ... Moderate Unreviewed
CVE-2026-1815 was published May 21, 2026
eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges High
GHSA-j5rm-v3vh-vx94 was published for edumfa (pip) May 18, 2026
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions Low
CVE-2026-22706 was published for @strapi/admin (npm) May 13, 2026
zaddy6 Credited to zaddy6, arthurgervais, derrickmehaffy, AndyAnh174, and Aastha2602 arthurgervais arthurgervais
derrickmehaffy derrickmehaffy AndyAnh174 AndyAnh174 Aastha2602 Aastha2602
libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated... Moderate Unreviewed
CVE-2026-5545 was published May 13, 2026
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover High
CVE-2026-44648 was published for sillytavern (npm) May 12, 2026
zzzm0919 Credited to zzzm0919
A session management vulnerability in AOS-8 allows previously authenticated users to retain... Moderate Unreviewed
CVE-2026-44873 was published May 12, 2026
Open WebUI has a CORS misconfiguration and session validation issue High
GHSA-6xcp-7mpr-m7wm was published for open-webui (pip) May 11, 2026
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access High
CVE-2026-44553 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
nhost has Session Persistence After Password Change Low
GHSA-7hgr-xvrr-xpw3 was published for github.com/nhost/nhost (Go) May 8, 2026
skoveit Credited to skoveit
ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI High
GHSA-fpw6-hrg5-q5x5 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change Moderate
GHSA-258c-965c-p3hc was published for github.com/daptin/daptin (Go) May 7, 2026
VashuVats Credited to VashuVats
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload Moderate
CVE-2026-45005 was published for openclaw (npm) May 5, 2026
feynman-hou Credited to feynman-hou
Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart High
CVE-2026-40934 was published for jupyter-server (pip) May 5, 2026
emin63 Credited to emin63 and Yann-P Yann-P Yann-P
CI4MS has a Deactivated User Session Bypass (active=0) Moderate
CVE-2026-41891 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
Weblate Doesn't Invalidate API Token on Password Change Moderate
CVE-2026-41519 was published for weblate (pip) Apr 30, 2026
whatisproblem Credited to whatisproblem and nijel nijel nijel
Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation Low
GHSA-wwc3-c577-533m was published for openclaw (npm) Apr 24, 2026 withdrawn
A vulnerability exists in SenseLive X3050’s web management interface due to improper session... Moderate Unreviewed
CVE-2026-25720 was published Apr 24, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database