Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

460 advisories

Loading
An insecure direct object reference (IDOR) vulnerability in MphRx's Minerva V3.6.0, specifically... Critical Unreviewed
CVE-2026-5779 was published Apr 28, 2026
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate... Critical Unreviewed
CVE-2026-24303 was published Apr 24, 2026
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware ... Critical Unreviewed
CVE-2026-34287 was published Apr 21, 2026
goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files Critical
CVE-2026-31843 was published for goodoneuz/pay-uz (Composer) Apr 16, 2026
An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi... Critical Unreviewed
CVE-2026-22564 was published Apr 14, 2026
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can... Critical Unreviewed
CVE-2026-31282 was published Apr 13, 2026
MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org... Critical Unreviewed
CVE-2026-31272 was published Apr 7, 2026
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper... Critical Unreviewed
CVE-2026-1114 was published Apr 7, 2026
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow... Critical Unreviewed
CVE-2026-35616 was published Apr 4, 2026
Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6... Critical Unreviewed
CVE-2021-4477 was published Apr 4, 2026
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to... Critical Unreviewed
CVE-2026-2699 was published Apr 2, 2026
An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robot Studio... Critical Unreviewed
CVE-2026-0898 was published Mar 23, 2026
AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection Critical
CVE-2026-33478 was published for wwbn/avideo (Composer) Mar 20, 2026
offset Credited to offset and Marcono1234 Marcono1234 Marcono1234
Langflow has an Arbitrary File Write (RCE) via v2 API Critical
CVE-2026-33309 was published for langflow (pip) Mar 19, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, Jkavia, and andifilhohub abhinavagarwal07 abhinavagarwal07
Jkavia Jkavia andifilhohub andifilhohub
Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product... Critical Unreviewed
CVE-2026-21994 was published Mar 18, 2026
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service Critical
CVE-2026-32938 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 17, 2026
TCOTC Credited to TCOTC, YuxinZhaozyx, and 88250 YuxinZhaozyx YuxinZhaozyx
88250 88250
File Browser Signup Grants Admin When Default Permissions Include Admin Critical
CVE-2026-32760 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on... Critical Unreviewed
CVE-2026-21667 was published Mar 12, 2026
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on... Critical Unreviewed
CVE-2026-21666 was published Mar 12, 2026
Winter vulnerable to privilege escalation by authenticated backend users Critical
CVE-2026-27591 was published for winter/wn-backend-module (Composer) Mar 12, 2026
skyhex19 Credited to skyhex19
Insecure Access Control in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0... Critical Unreviewed
CVE-2025-66956 was published Mar 11, 2026
Parse Server has role escalation and CLP bypass via direct `_Join` table write Critical
CVE-2026-30966 was published for parse-server (npm) Mar 11, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
WeKnora Vulnerable to Broken Access Control in Tenant Management Critical
CVE-2026-30855 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check Critical
CVE-2026-29188 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 4, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
Rancher cloud credentials can be used through proxy API by users without access Critical
CVE-2021-25320 was published for github.com/rancher/rancher (Go) Mar 3, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database