Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
975
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

157 advisories

Loading
NocoDB: OAuth Tokens Persist Through Security Events Moderate
CVE-2026-53926 was published for nocodb (npm) Jun 5, 2026
bugbunny-research Credited to bugbunny-research
NocoDB: Stale Auth Cache After API Token Deletion Low
CVE-2026-46554 was published for nocodb (npm) May 21, 2026
bugbunny-research Credited to bugbunny-research
eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges High
GHSA-j5rm-v3vh-vx94 was published for edumfa (pip) May 18, 2026
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions Low
CVE-2026-22706 was published for @strapi/admin (npm) May 13, 2026
zaddy6 Credited to zaddy6, arthurgervais, derrickmehaffy, AndyAnh174, and Aastha2602 arthurgervais arthurgervais
derrickmehaffy derrickmehaffy AndyAnh174 AndyAnh174 Aastha2602 Aastha2602
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover High
CVE-2026-44648 was published for sillytavern (npm) May 12, 2026
zzzm0919 Credited to zzzm0919
Open WebUI has a CORS misconfiguration and session validation issue High
GHSA-6xcp-7mpr-m7wm was published for open-webui (pip) May 11, 2026
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access High
CVE-2026-44553 was published for open-webui (pip) May 8, 2026
Classic298 Credited to Classic298
nhost has Session Persistence After Password Change Low
GHSA-7hgr-xvrr-xpw3 was published for github.com/nhost/nhost (Go) May 8, 2026
skoveit Credited to skoveit
ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI High
GHSA-fpw6-hrg5-q5x5 was published for github.com/lin-snow/Ech0 (Go) May 7, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change Moderate
GHSA-258c-965c-p3hc was published for github.com/daptin/daptin (Go) May 7, 2026
VashuVats Credited to VashuVats
katalyst-koi: Session cookies can be replayed after user logout High
CVE-2026-44511 was published for katalyst-koi (RubyGems) May 7, 2026
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload Moderate
CVE-2026-45005 was published for openclaw (npm) May 5, 2026
feynman-hou Credited to feynman-hou
Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart High
CVE-2026-40934 was published for jupyter-server (pip) May 5, 2026
emin63 Credited to emin63 and Yann-P Yann-P Yann-P
CI4MS has a Deactivated User Session Bypass (active=0) Moderate
CVE-2026-41891 was published for ci4-cms-erp/ci4ms (Composer) May 4, 2026
dapickle Credited to dapickle
Weblate Doesn't Invalidate API Token on Password Change Moderate
CVE-2026-41519 was published for weblate (pip) Apr 30, 2026
whatisproblem Credited to whatisproblem and nijel nijel nijel
Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation Low
GHSA-wwc3-c577-533m was published for openclaw (npm) Apr 24, 2026 withdrawn
Data Sharing Framework is Missing Session Timeout for OIDC Sessions Moderate
CVE-2026-40939 was published for dev.dsf:dsf-bpe-server (Maven) Apr 15, 2026
pyLoad's Session Not Invalidated After Permission Changes Low
GHSA-fj52-5g4h-gmq8 was published for pyload-ng (pip) Apr 14, 2026
PinkDraconian Credited to PinkDraconian
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) High
CVE-2026-41133 was published for pyload-ng (pip) Apr 14, 2026
komi22 Credited to komi22
OAuth2 Proxy's session cookies are not cleared when rendering sign-in page Low
CVE-2026-34454 was published for github.com/oauth2-proxy/oauth2-proxy/v7 (Go) Apr 14, 2026
bella-WI Credited to bella-WI and cschrewing-WI cschrewing-WI cschrewing-WI
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Moderate
CVE-2026-35594 was published for code.vikunja.io/api (Go) Apr 10, 2026
axel-corsiez Credited to axel-corsiez
OpenClaw: Existing WS sessions survive shared gateway token rotation Moderate
CVE-2026-42421 was published for openclaw (npm) Apr 9, 2026
kexinoh Credited to kexinoh
OpenClaw: resolvedAuth closure becomes stale after config reload Moderate
CVE-2026-41916 was published for openclaw (npm) Apr 9, 2026
kexinoh Credited to kexinoh
Apache Airflow: JWT token still valid after logout Critical
CVE-2025-57735 was published for apache-airflow (pip) Apr 9, 2026
parisneo/lollms has an insufficient session expiration vulnerability Moderate
CVE-2026-1163 was published for lollms (pip) Apr 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database