GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
521 advisories
Filter by severity
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege...
High
Unreviewed
CVE-2026-33356
was published
May 11, 2026
Open WebUI has inconsistent authorization controls within memories API
High
CVE-2026-44570
was published
for
open-webui
(pip)
May 11, 2026
MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability...
High
Unreviewed
CVE-2026-44400
was published
May 8, 2026
Spring Cloud Config has an Authorization Bypass Through User-Controlled Key
High
CVE-2026-40981
was published
for
org.springframework.cloud:spring-cloud-config-server
(Maven)
May 7, 2026
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
High
CVE-2026-44504
was published
for
aegra-api
(pip)
May 7, 2026
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
High
CVE-2026-42609
was published
for
getgrav/grav
(Composer)
May 5, 2026
Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information...
High
Unreviewed
CVE-2026-41471
was published
May 4, 2026
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible...
High
Unreviewed
CVE-2026-2554
was published
May 2, 2026
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing...
High
Unreviewed
CVE-2026-7491
was published
May 2, 2026
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view...
High
Unreviewed
CVE-2026-4503
was published
Apr 30, 2026
Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc...
High
Unreviewed
CVE-2026-7399
was published
Apr 30, 2026
This vulnerability exists in e-Sushrut due to improper authorization checks during resource...
High
Unreviewed
CVE-2026-42516
was published
Apr 29, 2026
This vulnerability exists in e-Sushrut due to the use of reversible Base64 encoding for...
High
Unreviewed
CVE-2026-42517
was published
Apr 29, 2026
This vulnerability exists in e-Sushrut due to improper access control in resource access...
High
Unreviewed
CVE-2026-42515
was published
Apr 29, 2026
A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT...
High
Unreviewed
CVE-2026-28747
was published
Apr 28, 2026
Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources
High
CVE-2026-42205
was published
for
avo
(RubyGems)
Apr 24, 2026
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name...
High
Unreviewed
CVE-2026-6375
was published
Apr 23, 2026
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up...
High
Unreviewed
CVE-2026-5617
was published
Apr 22, 2026
An insecure direct object reference (IDOR) vulnerability in the Fullstep V5 registration process...
High
Unreviewed
CVE-2026-5750
was published
Apr 22, 2026
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in...
High
Unreviewed
CVE-2026-5845
was published
Apr 22, 2026
Neko has a Self-service Privilege Escalation for Authenticated Users
High
CVE-2026-39386
was published
for
github.com/m1k1o/neko/server
(Go)
Apr 21, 2026
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
High
CVE-2026-41279
was published
for
flowise
(npm)
Apr 17, 2026
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
High
CVE-2026-41277
was published
for
flowise
(npm)
Apr 17, 2026
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
High
CVE-2026-41267
was published
for
flowise
(npm)
Apr 16, 2026
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
High
CVE-2026-40308
was published
for
joedolson/my-calendar
(Composer)
Apr 16, 2026
ProTip!
Advisories are also available from the
GraphQL API