Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
975
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

89 advisories

Loading
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname Low
CVE-2026-54282 was published for Starlette (pip) Jun 15, 2026
nic-lovin Credited to nic-lovin
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7,... Moderate Unreviewed
CVE-2026-8716 was published May 27, 2026
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad Moderate
CVE-2026-45306 was published for pyload-ng (pip) May 14, 2026
NSSYS Credited to NSSYS
Hickory DNS's Record Cache Accepts AUTHORITY-Section NS from Sibling Zone via Parent-Pool Zone-Context Elevation High
GHSA-83hf-93m4-rgwq was published for hickory-recursor (Rust) Apr 30, 2026
qifan-sailboat Credited to qifan-sailboat
Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data... Moderate Unreviewed
CVE-2026-42254 was published Apr 26, 2026
Traefik has an StripPrefixRegex Middleware Authorization Bypass via Path/RawPath Desync High
CVE-2026-40912 was published for github.com/traefik/traefik (Go) Apr 24, 2026
gouldnicholas Credited to gouldnicholas
Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders Moderate
GHSA-6477-wvjj-47v6 was published for openclaw (npm) Apr 24, 2026 withdrawn
OpenFGA has Improper Policy Enforcement Moderate
CVE-2026-41131 was published for github.com/openfga/openfga (Go) Apr 22, 2026
bugbunny-research Credited to bugbunny-research
uutils coreutils Uses Incorrectly-Resolved Name or Reference Moderate
CVE-2026-35358 was published for coreutils (Rust) Apr 22, 2026
Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision Moderate
GHSA-g8mc-c5f2-mqg7 was published for openclaw (npm) Apr 10, 2026 withdrawn
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
OpenClaw: Zalo webhook replay cache cross-target messageId scope bypass Low
CVE-2026-41402 was published for openclaw (npm) Apr 2, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw's system.run allowlist can be bypassed through an unregistered time dispatch wrapper High
CVE-2026-35666 was published for openclaw (npm) Mar 26, 2026
YLChen-007 Credited to YLChen-007
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution. Moderate
CVE-2026-35670 was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
srvx is vulnerable to middleware bypass via absolute URI in request line Moderate
CVE-2026-33732 was published for srvx (npm) Mar 26, 2026
hibwyli Credited to hibwyli
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes Low
CVE-2026-33490 was published for h3 (npm) Mar 20, 2026
offset Credited to offset
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18... Moderate Unreviewed
CVE-2026-1230 was published Mar 11, 2026
WeKnora Vulnerable to Tool Execution Hijacking via Ambigous Naming Convention In MCP client and Indirect Prompt Injection Moderate
CVE-2026-30856 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass High
CVE-2026-3125 was published for @opennextjs/cloudflare (npm) Mar 5, 2026
Ezzer17 Credited to Ezzer17
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL High
CVE-2026-25890 was published for github.com/filebrowser/filebrowser/v2 (Go) Feb 10, 2026
Fluxmux Credited to Fluxmux and hacdias hacdias hacdias
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion... Moderate Unreviewed
CVE-2026-25067 was published Jan 29, 2026
An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8... High Unreviewed
CVE-2025-65474 was published Dec 11, 2025
Apptainer ineffectively applies selinux and apparmor --security options Moderate
CVE-2025-65105 was published for github.com/apptainer/apptainer (Go) Dec 2, 2025
dtrudg Credited to dtrudg
Singluarity ineffectively applies selinux / apparmor LSM process labels Moderate
CVE-2025-64750 was published for github.com/sylabs/singularity/v4 (Go) Dec 2, 2025
zx Uses Incorrectly-Resolved Name or Reference Moderate
CVE-2025-13437 was published for zx (npm) Nov 20, 2025
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database