Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

168 advisories

Loading
Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace High
CVE-2026-32769 was published for github.com/ctfer-io/fullchain (Go) Mar 16, 2026
ViRb3 Credited to ViRb3
Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace High
CVE-2026-32737 was published for github.com/ctfer-io/romeo/environment/deploy (Go) Mar 16, 2026
ViRb3 Credited to ViRb3
Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another namespace High
CVE-2026-32768 was published for github.com/ctfer-io/chall-manager/deploy (Go) Mar 16, 2026
ViRb3 Credited to ViRb3
github.com/ctfer-io/monitoring Vulnerable to Improper Access Control High
CVE-2026-32720 was published for github.com/ctfer-io/monitoring (Go) Mar 13, 2026
ViRb3 Credited to ViRb3
OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream High
CVE-2026-32102 was published for github.com/OliveTin/OliveTin (Go) Mar 12, 2026
kule500 Credited to kule500
Parse Server has a protected fields bypass via dot-notation in query and sort High
CVE-2026-31872 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Parse Server has a protected fields bypass via logical query operators High
CVE-2026-30962 was published for parse-server (npm) Mar 11, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren High
CVE-2026-30926 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 9, 2026
Zwique Credited to Zwique
WeKnora has Broken Access Control - Cross-Tenant Data Exposure High
CVE-2026-30859 was published for github.com/Tencent/WeKnora (Go) Mar 6, 2026
aleister1102 Credited to aleister1102
Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure High
CVE-2026-30244 was published for plane (pip) Mar 5, 2026
Sanu1999 Credited to Sanu1999
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs High
GHSA-9f72-qcpw-2hxc was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints High
CVE-2026-27449 was published for Umbraco.Engage.Forms (NuGet) Feb 27, 2026
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting High
CVE-2026-28469 was published for clawdbot (npm) Feb 18, 2026
vincentkoc Credited to vincentkoc
OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals High
CVE-2026-26325 was published for openclaw (npm) Feb 17, 2026
christos-eth Credited to christos-eth
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change High
GHSA-hr7j-63v7-vj7g was published for github.com/pterodactyl/wings (Composer) Feb 17, 2026
KTOymep Credited to KTOymep
OpenClaw has an arbitrary transcript path file write via gateway sessionFile High
CVE-2026-28459 was published for openclaw (npm) Feb 17, 2026
tubadeligoz Credited to tubadeligoz
Unauthenticated Spree Commerce users can access all guest addresses High
CVE-2026-25758 was published for spree_api (RubyGems) Feb 5, 2026
p- Credited to p-
pgadmin4 affected by a Restore restriction bypass via key disclosure vulnerability High
CVE-2026-1707 was published for pgadmin4 (pip) Feb 5, 2026
Lollms has an Improper Access Control vulnerability High
CVE-2026-1117 was published for lollms (pip) Feb 2, 2026
Dozzle Agent Label-Based Access Control Bypass Allows Unauthorized Container Shell Access High
CVE-2026-24740 was published for github.com/amir20/dozzle (Go) Jan 27, 2026
k14uz Credited to k14uz
Bagisto has IDOR in Customer Order Reorder Functionality High
CVE-2026-21447 was published for bagisto/bagisto (Composer) Jan 2, 2026
DenizParlak Credited to DenizParlak
memos vulnerability allows the creation of arbitrary accounts High
CVE-2025-65795 was published for github.com/usememos/memos (Go) Dec 8, 2025
XWiki Jetty Package (XJetty) allows accessing any application file through URL High
CVE-2025-55749 was published for org.xwiki.platform:xwiki-platform-tool-jetty-resources (Maven) Dec 1, 2025
Better Auth Passkey Plugin allows passkey deletion through IDOR High
GHSA-4vcf-q4xf-f48m was published for @better-auth/passkey (npm) Nov 25, 2025
goksan Credited to goksan
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database