Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

350 advisories

Loading
HashiCorp's go-getter library may allow arbitrary file reads High
CVE-2026-4660 was published for github.com/hashicorp/go-getter (Go) Apr 9, 2026
Apache DolphinScheduler vulnerable to sensitive information disclosure High
CVE-2025-62188 was published for org.apache.dolphinscheduler:dolphinscheduler (Maven) Apr 9, 2026
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server High
CVE-2026-39889 was published for praisonai (pip) Apr 8, 2026
srisowmya2000 Credited to srisowmya2000
LiteLLM: Password hash exposure and pass-the-hash authentication bypass High
GHSA-69x8-hrgq-fjj8 was published for litellm (pip) Apr 8, 2026
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket High
CVE-2026-39363 was published for vite (npm) Apr 6, 2026
odgrso Credited to odgrso, CodeAnt-AI-Security, tronglinh23, and bluwy CodeAnt-AI-Security CodeAnt-AI-Security
tronglinh23 tronglinh23 bluwy bluwy
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries High
CVE-2026-35442 was published for directus (npm) Apr 4, 2026
Rack::Static prefix matching can expose unintended files under the static root High
CVE-2026-34785 was published for rack (RubyGems) Apr 2, 2026
th4s1s Credited to th4s1s, jeremyevans, and ioquatix jeremyevans jeremyevans
ioquatix ioquatix
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure High
GHSA-jccr-rrw2-vc8h was published for openclaw (npm) Mar 31, 2026
nicky-cc Credited to nicky-cc
AVideo: Unauthenticated Access to Payment Log DataTables Endpoints Exposes Transaction Data, PayPal Tokens, and User Financial Records High
GHSA-wprj-9cvc-5w37 was published for wwbn/avideo (Composer) Mar 29, 2026
offset Credited to offset
Parse Server exposes auth data via verify password endpoint High
CVE-2026-34215 was published for parse-server (npm) Mar 29, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters High
CVE-2026-33981 was published for changedetection.io (pip) Mar 27, 2026
sajdakabir Credited to sajdakabir and zerotrail-ai zerotrail-ai zerotrail-ai
MLFlow allows Tracing + Assessments Access High
CVE-2025-15381 was published for mlflow (pip) Mar 27, 2026
Parse Server exposes auth data via /users/me endpoint High
CVE-2026-33627 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza
In Soft Serve, an authenticated repo import can clone server-local private repositories High
CVE-2026-33353 was published for github.com/charmbracelet/soft-serve (Go) Mar 19, 2026
evnsh Credited to evnsh
Parse Server leaks protected fields via LiveQuery afterEvent trigger High
CVE-2026-33163 was published for parse-server (npm) Mar 18, 2026
mtrezza Credited to mtrezza and offset offset offset
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials High
CVE-2026-32609 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Glances exposes the REST API without authentication High
CVE-2026-32596 was published for Glances (pip) Mar 16, 2026
DhiyaneshGeek Credited to DhiyaneshGeek
Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values High
CVE-2026-2476 was published for github.com/mattermost/mattermost-plugin-msteams (Go) Mar 16, 2026
Unauthorized access to Argo Workflows Template High
CVE-2026-28229 was published for github.com/argoproj/argo-workflows/v3 (Go) Mar 11, 2026
Masamuneee Credited to Masamuneee
OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage High
GHSA-rchv-x836-w7xp was published for openclaw (npm) Mar 9, 2026
whiter6666 Credited to whiter6666
Glances Exposes Unauthenticated Configuration Secrets High
CVE-2026-30928 was published for glances (pip) Mar 9, 2026
theamanrawat Credited to theamanrawat and neo-ai-engineer neo-ai-engineer neo-ai-engineer
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info High
CVE-2026-30933 was published for github.com/gtsteffaniak/filebrowser/backend (Go) Mar 9, 2026
mdcoxe Credited to mdcoxe
Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure High
CVE-2026-30244 was published for plane (pip) Mar 5, 2026
Sanu1999 Credited to Sanu1999
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs High
GHSA-9f72-qcpw-2hxc was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset High
CVE-2026-27522 was published for openclaw (npm) Mar 2, 2026
GCXWLP Credited to GCXWLP
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database