Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

299 advisories

Loading
Sylius affected by IDOR in Cart and Checkout LiveComponents High
CVE-2026-31820 was published for sylius/sylius (Composer) Mar 11, 2026
p- Credited to p- and m-y-mo m-y-mo m-y-mo
Craft Commerce: Potential IDOR in Commerce carts Moderate
CVE-2026-31867 was published for craftcms/commerce (Composer) Mar 10, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
StudioCMS has Privilege Escalation via Insecure API Token Generation High
CVE-2026-30944 was published for studiocms (npm) Mar 10, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
OneUptime has WhatsApp Resend Verification Authorization Bypass Moderate
CVE-2026-30959 was published for @oneuptime/common (npm) Mar 10, 2026
Aryma-f4 Credited to Aryma-f4
OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping Moderate
GHSA-pjvx-rx66-r3fg was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots Moderate
GHSA-j425-whc4-4jgc was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey, SnailSploit, and zpbrent SnailSploit SnailSploit
zpbrent zpbrent
Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter Moderate
CVE-2026-30927 was published for admidio/admidio (Composer) Mar 9, 2026
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
WeKnora has Unauthorized Cross‑Tenant Knowledge Base Cloning Moderate
CVE-2026-30857 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration High
CVE-2026-30823 was published for flowise (npm) Mar 6, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Pingora vulnerable to cache poisoning via insecure-by-default cache key High
CVE-2026-2836 was published for pingora-cache (Rust) Mar 5, 2026
xclow3n Credited to xclow3n
Craft CMS has unauthenticated activation email trigger with potential user enumeration High
CVE-2026-29069 was published for craftcms/cms (Composer) Mar 4, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher Moderate
CVE-2026-27898 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso and BlackDex BlackDex BlackDex
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization Moderate
GHSA-f6h3-846h-2r8w was published for openclaw (npm) Mar 4, 2026
jiseoung Credited to jiseoung
OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From High
GHSA-2ch6-x3g4-7759 was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass Moderate
CVE-2026-32039 was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
OpenClaw has a Feishu allowFrom authorization bypass via display-name collision Moderate
CVE-2026-32021 was published for openclaw (npm) Mar 3, 2026
jiseoung Credited to jiseoung
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption Moderate
GHSA-j26j-7qc4-3mrf was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action Moderate
CVE-2026-28782 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am
Craft CMS: Entries Authorship Spoofing via Mass Assignment Moderate
CVE-2026-28781 was published for craftcms/cms (Composer) Mar 3, 2026
mHe4am Credited to mHe4am, RajChowdhury240, and rlarabee RajChowdhury240 RajChowdhury240
rlarabee rlarabee
Craft CMS has IDOR via GraphQL @parseRefs High
CVE-2026-28696 was published for craftcms/cms (Composer) Mar 3, 2026
z3rco Credited to z3rco
NocoDB Missing Ownership Validation in MCP Token Operations Moderate
CVE-2026-28361 was published for nocodb (npm) Mar 2, 2026
bugbunny-research Credited to bugbunny-research
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata Moderate
CVE-2026-32898 was published for openclaw (npm) Feb 27, 2026
nedlir Credited to nedlir
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints High
CVE-2026-27449 was published for Umbraco.Engage.Forms (NuGet) Feb 27, 2026
Amalie-Wowern Credited to Amalie-Wowern
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup Moderate
CVE-2026-27839 was published for wger (pip) Feb 26, 2026
ByamB4 Credited to ByamB4
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database