GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
724 advisories
Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery
Moderate
GHSA-hff2-gcpx-8f4p
was published
for
apollo-router
(Rust)
Mar 26, 2026
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
Moderate
GHSA-9q82-xgwf-vj6h
was published
for
@apollo/server
(npm)
Mar 26, 2026
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status
Moderate
GHSA-ppwq-6v66-5m6j
was published
for
openclaw
(npm)
Mar 26, 2026
Statamic's sensitive configuration values are exposed to content editors via Antlers-enabled fields
Moderate
CVE-2026-33886
was published
for
statamic/cms
(Composer)
Mar 26, 2026
Statamic's Markdown preview endpoint exposes sensitive user data
Moderate
CVE-2026-33882
was published
for
statamic/cms
(Composer)
Mar 26, 2026
AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
Moderate
CVE-2026-33761
was published
for
wwbn/avideo
(Composer)
Mar 26, 2026
Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Moderate
CVE-2026-33677
was published
for
code.vikunja.io/api
(Go)
Mar 25, 2026
Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground
Moderate
CVE-2026-27131
was published
for
putyourlightson/craft-sprig
(Composer)
Mar 23, 2026
AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php
Moderate
CVE-2026-33041
was published
for
wwbn/avideo
(Composer)
Mar 17, 2026
Amazon S3 for Craft CMS has an Information Disclosure vulnerability
Moderate
CVE-2026-32265
was published
for
craftcms/aws-s3
(Composer)
Mar 16, 2026
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
Moderate
CVE-2026-29066
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
Moderate
CVE-2026-32098
was published
for
parse-server
(npm)
Mar 12, 2026
Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
Moderate
CVE-2026-32094
was published
for
shescape
(npm)
Mar 11, 2026
Caddy's vars_regexp double-expands user input, leaking env vars and files
Moderate
CVE-2026-30852
was published
for
github.com/caddyserver/caddy/v2/modules/caddyhttp
(Go)
Mar 6, 2026
Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint
Moderate
GHSA-jc5m-wrp2-qq38
was published
for
flowise
(npm)
Mar 5, 2026
mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint
Moderate
CVE-2026-29787
was published
for
mcp-memory-service
(pip)
Mar 5, 2026
OliveTin doesn't check view permission when returning dashboards
Moderate
CVE-2026-30233
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
Gokapi has Data Leak in Upload Status Stream
Moderate
CVE-2026-28682
was published
for
github.com/forceu/gokapi
(Go)
Mar 5, 2026
OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection
Moderate
GHSA-jjgj-cpp9-cvpv
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
Moderate
CVE-2026-32002
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state
Moderate
GHSA-6g25-pc82-vfwp
was published
for
openclaw
(npm)
Mar 3, 2026
Gradio has an Open Redirect in its OAuth Flow
Moderate
CVE-2026-28415
was published
for
gradio
(pip)
Mar 1, 2026
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Moderate
CVE-2026-27457
was published
for
weblate
(pip)
Feb 26, 2026
ProTip!
Advisories are also available from the
GraphQL API