Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

460 advisories

Loading
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel... High Unreviewed
CVE-2026-32976 was published Mar 31, 2026
Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows... High Unreviewed
CVE-2026-4400 was published Mar 31, 2026
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys High
CVE-2026-33030 was published for github.com/0xJacky/nginx-ui (Go) Mar 30, 2026
f1veT Credited to f1veT
A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1... High Unreviewed
CVE-2026-3321 was published Mar 30, 2026
The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in... High Unreviewed
CVE-2026-3124 was published Mar 30, 2026
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility High
GHSA-q2qc-744p-66r2 was published for openclaw (npm) Mar 29, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check High
CVE-2026-34046 was published for langflow (pip) Mar 27, 2026
chximn-dt Credited to chximn-dt and AntonioABLima AntonioABLima AntonioABLima
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay High
CVE-2026-33946 was published for mcp (RubyGems) Mar 27, 2026
srikanthramu Credited to srikanthramu
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite High
CVE-2026-28788 was published for open-webui (pip) Mar 27, 2026
Inar1Dev Credited to Inar1Dev
Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion High
CVE-2026-33678 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition High
CVE-2026-33663 was published for n8n (npm) Mar 25, 2026
tr4ce-ju Credited to tr4ce-ju
Authorization Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription... High Unreviewed
CVE-2025-69347 was published Mar 25, 2026
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information High
CVE-2026-32300 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
langflow has Unauthenticated IDOR on Image Downloads High
CVE-2026-33484 was published for langflow (pip) Mar 20, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, and andifilhohub abhinavagarwal07 abhinavagarwal07
andifilhohub andifilhohub
Langflow is Missing Ownership Verification in API Key Deletion (IDOR) High
CVE-2026-33053 was published for langflow (pip) Mar 18, 2026
FaizanKolega Credited to FaizanKolega, kolega-ai-dev, andifilhohub, and erichare kolega-ai-dev kolega-ai-dev
andifilhohub andifilhohub erichare erichare
Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) High
CVE-2026-4208 was published for ralffreit/mfa-email (Composer) Mar 17, 2026
MrSilaz Credited to MrSilaz
Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the... High Unreviewed
CVE-2026-3020 was published Mar 16, 2026
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to... High Unreviewed
CVE-2026-1947 was published Mar 16, 2026
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows... High Unreviewed
CVE-2016-20033 was published Mar 16, 2026
A broken access control may allow an authenticated user to perform a horizontal privilege... High Unreviewed
CVE-2026-3999 was published Mar 13, 2026
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure... High Unreviewed
CVE-2026-1992 was published Mar 11, 2026
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all... High Unreviewed
CVE-2026-3453 was published Mar 11, 2026
StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service High
CVE-2026-30945 was published for studiocms (npm) Mar 11, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
Sylius affected by IDOR in Cart and Checkout LiveComponents High
CVE-2026-31820 was published for sylius/sylius (Composer) Mar 11, 2026
p- Credited to p- and m-y-mo m-y-mo m-y-mo
StudioCMS has Privilege Escalation via Insecure API Token Generation High
CVE-2026-30944 was published for studiocms (npm) Mar 10, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database