Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,029
Maven
5,000+
npm
5,000+
NuGet
976
pip
5,000+
Pub
13
RubyGems
1,070
Rust
1,404
Swift
61
Unreviewed advisories
All unreviewed
5,000+

375 advisories

Loading
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation Critical
CVE-2026-55518 was published for avo (RubyGems) Jun 17, 2026
xIllunight Credited to xIllunight and Paul-Bob Paul-Bob Paul-Bob
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions. Critical Unreviewed
CVE-2026-54803 was published Jun 17, 2026
DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in... Critical Unreviewed
CVE-2026-32966 was published Jun 17, 2026
Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.... Critical Unreviewed
CVE-2026-32967 was published Jun 17, 2026
Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect... Critical Unreviewed
CVE-2026-48303 was published Jun 9, 2026
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions Critical
CVE-2026-44330 was published for github.com/free5gc/nef (Go) May 8, 2026
LinZiyuu Credited to LinZiyuu
Free5gc NRF is vulnerable to scope validation bypass via maliciously crafted targetNF value Critical
CVE-2025-66719 was published for github.com/free5gc/nrf (Go) Jan 23, 2026
p0sql Credited to p0sql
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering Critical
CVE-2026-35490 was published for changedetection.io (pip) Apr 6, 2026
axel-corsiez Credited to axel-corsiez
OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed.... Critical Unreviewed
CVE-2026-41283 was published Jun 4, 2026
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation Critical
CVE-2026-47407 was published for praisonai-platform (pip) May 29, 2026
spbavarva Credited to spbavarva
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated... Critical Unreviewed
CVE-2026-3660 was published May 26, 2026
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape Critical
CVE-2026-43999 was published for vm2 (npm) May 7, 2026
bugbunny-research Credited to bugbunny-research
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering Critical
CVE-2026-41050 was published for github.com/rancher/fleet (Go) May 7, 2026
kodareef5 Credited to kodareef5
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass Critical
CVE-2026-43948 was published for wger (pip) May 6, 2026
whatisproblem Credited to whatisproblem
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases Critical
CVE-2026-44221 was published for com.arcadedb:arcadedb-server (Maven) May 5, 2026
S3-Proxy has Security Issues in its Resource Path Matching Implementation Critical
CVE-2026-42882 was published for github.com/oxyno-zeta/s3-proxy (Go) May 5, 2026
argos83 Credited to argos83
Pelican Web UI Affected by a Privilege Escalation Attack Critical
CVE-2026-42571 was published for github.com/pelicanplatform/pelican (Go) May 4, 2026
bbockelm Credited to bbockelm, brianaydemir, jhiemstrawisc, matyasselmeci, and williamnswanson brianaydemir brianaydemir
jhiemstrawisc jhiemstrawisc matyasselmeci matyasselmeci williamnswanson williamnswanson
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect... Critical Unreviewed
CVE-2026-34660 was published May 12, 2026
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
Codechecker has an authentication bypass for certain API calls Critical
CVE-2026-25660 was published for codechecker (pip) May 5, 2026
mtolley Credited to mtolley
Buffer overflow due to incorrect authorization in PLC FW Critical Unreviewed
CVE-2026-25293 was published May 4, 2026
Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token Critical
CVE-2026-6290 was published for www.velocidex.com/golang/velociraptor (Go) Apr 15, 2026
Official Clerk JavaScript SDKs: Middleware-based route protection bypass Critical
CVE-2026-41248 was published for @clerk/astro (npm) Apr 16, 2026
YouGina Credited to YouGina
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Critical
CVE-2026-41329 was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin Critical
CVE-2026-35663 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database