Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
55
GitHub Actions
50
Go
3,732
Maven
5,000+
npm
5,000+
NuGet
935
pip
4,952
Pub
13
RubyGems
1,055
Rust
1,343
Swift
54
Unreviewed advisories
All unreviewed
5,000+

297 advisories

Loading
FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field Moderate
CVE-2026-32699 was published for facturascripts/facturascripts (Composer) Apr 28, 2026
TurkiOS Credited to TurkiOS
Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration Moderate
CVE-2026-40966 was published for org.springframework.ai:spring-ai-advisors-vector-store (Maven) Apr 28, 2026
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API Moderate
CVE-2026-6596 was published for langflow-base (pip) Apr 20, 2026
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records Moderate
CVE-2026-40304 was published for github.com/openziti/zrok (Go) Apr 16, 2026
bugbunny-research Credited to bugbunny-research
October Rain has a Twig Sandbox Bypass via Collection Methods Moderate
CVE-2026-22692 was published for october/rain (Composer) Apr 14, 2026
lukasz-rybak Credited to lukasz-rybak and daftspunk daftspunk daftspunk
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch Moderate
CVE-2026-41398 was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Signal K Server: Unauthenticated Source Priorities Manipulation Moderate
CVE-2026-33951 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
AVideo: Unauthenticated File Deletion via PHP Operator Precedence Bug in CLI Guard Moderate
CVE-2026-34733 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope Moderate
CVE-2026-35619 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic Moderate
CVE-2026-33726 was published for github.com/cilium/cilium (Go) Mar 26, 2026
Champ-Goblem Credited to Champ-Goblem, sudeephb, julianwiedmann, and smagnani96 sudeephb sudeephb
julianwiedmann julianwiedmann smagnani96 smagnani96
A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution Moderate
CVE-2026-33622 was published for github.com/pinchtab/pinchtab (Go) Mar 24, 2026
Yesuhei Credited to Yesuhei
Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false Moderate
CVE-2026-4628 was published for org.keycloak:keycloak-services (Maven) Mar 23, 2026
dnegreira Credited to dnegreira
File Browser has an Authorization Policy Bypass in Public Share Download Flow Moderate
CVE-2026-32761 was published for https://github.com/filebrowser/filebrowser (Go) Mar 18, 2026
Ahmad-jarwan Credited to Ahmad-jarwan and hacdias hacdias hacdias
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API Moderate
CVE-2026-3429 was published for org.keycloak:keycloak-services (Maven) Mar 11, 2026
Ankush-Pathak Credited to Ankush-Pathak
django-unicorn affected by component state manipulation via unvalidated attribute access Moderate
CVE-2026-31815 was published for django-unicorn (pip) Mar 11, 2026
RinZ27 Credited to RinZ27
Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash Moderate
CVE-2026-2742 was published for com.vaadin:flow-server (Maven) Mar 10, 2026
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions Moderate
CVE-2026-27646 was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion Moderate
CVE-2026-29061 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
Gokapi has privilege escalation with auth token Moderate
CVE-2026-29060 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Forceu Credited to Forceu
Gokapi has Data Leak in Upload Status Stream Moderate
CVE-2026-28682 was published for github.com/forceu/gokapi (Go) Mar 5, 2026
Sijisu Credited to Sijisu, aisafe-bot, and Forceu aisafe-bot aisafe-bot
Forceu Forceu
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images Moderate
CVE-2026-32002 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch Moderate
GHSA-534w-2vm4-89xr was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch Moderate
CVE-2026-31998 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database