Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

460 advisories

Loading
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration High
CVE-2026-30823 was published for flowise (npm) Mar 6, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Pingora vulnerable to cache poisoning via insecure-by-default cache key High
CVE-2026-2836 was published for pingora-cache (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Craft CMS has unauthenticated activation email trigger with potential user enumeration High
CVE-2026-29069 was published for craftcms/cms (Composer) Mar 4, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From High
GHSA-2ch6-x3g4-7759 was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
Craft CMS has IDOR via GraphQL @parseRefs High
CVE-2026-28696 was published for craftcms/cms (Composer) Mar 3, 2026
z3rco Credited to z3rco
In parsePermissionGroup of ParsedPermissionUtils.java, there is a possible way to bypass a... High Unreviewed
CVE-2026-0020 was published Mar 2, 2026
The CGM CLININET application uses direct, sequential object identifiers "MessageID" without... High Unreviewed
CVE-2025-58402 was published Mar 2, 2026
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints High
CVE-2026-27449 was published for Umbraco.Engage.Forms (NuGet) Feb 27, 2026
Amalie-Wowern Credited to Amalie-Wowern
Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy... High Unreviewed
CVE-2026-24950 was published Feb 20, 2026
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet... High Unreviewed
CVE-2026-22383 was published Feb 20, 2026
Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows... High Unreviewed
CVE-2025-69394 was published Feb 20, 2026
Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket... High Unreviewed
CVE-2025-68051 was published Feb 20, 2026
Authorization Bypass Through User-Controlled Key vulnerability in MeCODE Informatics and... High Unreviewed
CVE-2025-9062 was published Feb 19, 2026
Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the... High Unreviewed
CVE-2026-1436 was published Feb 18, 2026
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting High
CVE-2026-28469 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing High
GHSA-hv93-r4j3-q65f was published for openclaw (npm) Feb 17, 2026
alpernae Credited to alpernae
Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc.... High Unreviewed
CVE-2026-1619 was published Feb 13, 2026
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via... High Unreviewed
CVE-2025-15096 was published Feb 11, 2026
Authorization Bypass Through User-Controlled Key vulnerability in Dinibh Puzzle Software... High Unreviewed
CVE-2025-7347 was published Feb 10, 2026
Craft CMS: GraphQL Asset Mutation Privilege Escalation High
CVE-2026-25497 was published for craftcms/cms (Composer) Feb 9, 2026
vitalysim Credited to vitalysim
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist... High Unreviewed
CVE-2026-25563 was published Feb 8, 2026
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist... High Unreviewed
CVE-2026-25564 was published Feb 8, 2026
Unauthenticated Spree Commerce users can access all guest addresses High
CVE-2026-25758 was published for spree_api (RubyGems) Feb 5, 2026
p- Credited to p-
Unauthenticated Spree Commerce users can view completed guest orders by Order ID High
CVE-2026-25757 was published for spree_storefront (RubyGems) Feb 5, 2026
p- Credited to p-
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database