GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
1,473 advisories
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Moderate
CVE-2026-33724
was published
for
n8n
(npm)
Mar 25, 2026
Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR
Critical
GHSA-2pv8-4c52-mf8j
was published
for
code.vikunja.io/api
(Go)
Mar 26, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
Low
GHSA-44px-qjjc-xrhq
was published
for
craftcms/cms
(Composer)
Mar 26, 2026
AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Moderate
CVE-2026-33759
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
Moderate
CVE-2026-33764
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
OpenClaw: Synology Chat reply delivery could be rebound through username-based user resolution.
Moderate
CVE-2026-35670
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
Low
CVE-2026-35624
was published
for
openclaw
(npm)
Mar 26, 2026
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
High
CVE-2026-28788
was published
for
open-webui
(pip)
Mar 27, 2026
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Low
CVE-2026-29071
was published
for
open-webui
(pip)
Mar 27, 2026
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
High
CVE-2026-33946
was published
for
mcp
(RubyGems)
Mar 27, 2026
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
High
CVE-2026-34046
was published
for
langflow
(pip)
Mar 27, 2026
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
Moderate
CVE-2026-35657
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility
High
GHSA-q2qc-744p-66r2
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Low
CVE-2026-35617
was published
for
openclaw
(npm)
Mar 29, 2026
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
High
CVE-2026-33030
was published
for
github.com/0xJacky/nginx-ui
(Go)
Mar 30, 2026
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist
Moderate
CVE-2026-41406
was published
for
openclaw
(npm)
Apr 2, 2026
ProTip!
Advisories are also available from the
GraphQL API