Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

4,133 advisories

Loading
Weblate: Privilege escalation in the user API endpoint High
CVE-2026-34393 was published for weblate (pip) Apr 16, 2026
tikket1 Credited to tikket1, nijel, and DavidCarliez nijel nijel
DavidCarliez DavidCarliez
Dell Storage Manager - Replay Manager for Microsoft Servers, version(s) 8.0, contain(s) an... High Unreviewed
CVE-2026-23772 was published Apr 16, 2026
The Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of... Critical Unreviewed
CVE-2026-4880 was published Apr 16, 2026
Improper privilege management in Microsoft Windows allows an authorized attacker to deny service... Moderate Unreviewed
CVE-2026-32181 was published Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php High
CVE-2026-38529 was published for krayin/laravel-crm (Composer) Apr 14, 2026
The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all... High Unreviewed
CVE-2026-5144 was published Apr 11, 2026
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource Moderate
CVE-2026-39961 was published for github.com/aiven/aiven-operator (Go) Apr 10, 2026
AndresAIFR Credited to AndresAIFR
Vikunja vulnerable to Privilege Escalation via Project Reparenting High
CVE-2026-35595 was published for code.vikunja.io/api (Go) Apr 10, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate... High Unreviewed
CVE-2026-29923 was published Apr 9, 2026
OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write` Low
CVE-2026-42429 was published for openclaw (npm) Apr 9, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval Moderate
CVE-2026-42426 was published for openclaw (npm) Apr 9, 2026
nicky-cc Credited to nicky-cc
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands High
CVE-2026-35607 was published for github.com/filebrowser/filebrowser/v2 (Go) Apr 8, 2026
kodareef5 Credited to kodareef5
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill Moderate
CVE-2026-41298 was published for openclaw (npm) Apr 7, 2026
EaEa0001 Credited to EaEa0001
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send High
CVE-2026-41359 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send Moderate
CVE-2026-41379 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
An issue that allowed all-organization administrators to promote accounts to superuser status has... High Unreviewed
CVE-2026-5373 was published Apr 7, 2026
CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34989 was published for ci4-cms-erp/ci4ms (Composer) Apr 3, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
OpenClaw: Unbound bootstrap setup codes allow privilege escalation during pairing High
CVE-2026-41386 was published for openclaw (npm) Apr 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls Moderate
CVE-2026-41330 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users... High Unreviewed
CVE-2023-7343 was published Apr 2, 2026
HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users... High Unreviewed
CVE-2023-7342 was published Apr 2, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS... High Unreviewed
CVE-2024-44250 was published Apr 2, 2026
OpenClaw: Unauthenticated plugin-auth HTTP routes receive operator runtime scopes Moderate
CVE-2026-41394 was published for openclaw (npm) Apr 2, 2026
davidluzsilva Credited to davidluzsilva
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution High
CVE-2026-34528 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
offset Credited to offset
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send High
CVE-2026-35621 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database