Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,948
Maven
5,000+
npm
5,000+
NuGet
969
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,383
Swift
56
Unreviewed advisories
All unreviewed
5,000+

1,473 advisories

Loading
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the... Critical Unreviewed
CVE-2026-25197 was published Apr 3, 2026
Directus: Path Traversal and Broken Access Control in File Management API High
CVE-2026-39942 was published for directus (npm) Apr 4, 2026
r3dpower Credited to r3dpower, pmins99, and odgrso pmins99 pmins99
odgrso odgrso
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible... High Unreviewed
CVE-2026-4896 was published Apr 4, 2026
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to... High Unreviewed
CVE-2026-5465 was published Apr 7, 2026
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections Moderate
CVE-2026-41372 was published for openclaw (npm) Apr 7, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is... Moderate Unreviewed
CVE-2026-5167 was published Apr 8, 2026
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2026-4654 was published Apr 8, 2026
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2026-4330 was published Apr 8, 2026
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery... Low Unreviewed
CVE-2026-39510 was published Apr 8, 2026
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream... Moderate Unreviewed
CVE-2026-39526 was published Apr 8, 2026
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments... Moderate Unreviewed
CVE-2026-39616 was published Apr 8, 2026
Wimi Teamwork On-Premises versions prior to 8.2.0 contain an insecure direct object reference... Moderate Unreviewed
CVE-2026-35023 was published Apr 8, 2026
A flaw was found in Red Hat Quay's container image upload process. An authenticated user with... High Unreviewed
CVE-2026-32589 was published Apr 8, 2026
Policy bypass in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to... Moderate Unreviewed
CVE-2026-5875 was published Apr 9, 2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18... Moderate Unreviewed
CVE-2026-2104 was published Apr 9, 2026
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all... Moderate Unreviewed
CVE-2026-3568 was published Apr 9, 2026
CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level... High Unreviewed
CVE-2026-29002 was published Apr 10, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to... Moderate Unreviewed
CVE-2026-3371 was published Apr 11, 2026
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that... High Unreviewed
CVE-2026-40043 was published Apr 13, 2026
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID Low
GHSA-9pm8-vwc5-w2hm was published for fat_free_crm (RubyGems) Apr 14, 2026
bgeesaman Credited to bgeesaman
A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do... High Unreviewed
CVE-2026-25654 was published Apr 14, 2026
MCPHub has an authentication bypass Moderate
CVE-2025-13822 was published for @samanhappy/mcphub (npm) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php High
CVE-2026-38530 was published for krayin/laravel-crm (Composer) Apr 14, 2026
Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php High
CVE-2026-38532 was published for krayin/laravel-crm (Composer) Apr 14, 2026
WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens Moderate
CVE-2026-40907 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database