Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,967
Maven
5,000+
npm
5,000+
NuGet
973
pip
5,000+
Pub
13
RubyGems
1,064
Rust
1,387
Swift
56
Unreviewed advisories
All unreviewed
5,000+

73 advisories

Loading
epa4all-client: Unauthenticated REST API for Patient Record Writes Moderate
CVE-2026-47672 was published for com.oviva.telematik:epa4all-rest-service (Maven) Jun 4, 2026
snomi Credited to snomi and Volcore Volcore Volcore
Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets Moderate
CVE-2026-47671 was published for github.com/nhost/nhost (Go) Jun 4, 2026
sondt99 Credited to sondt99
Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification Moderate
CVE-2026-47212 was published for symfony/symfony (Composer) May 29, 2026
nicolas-grekas Credited to nicolas-grekas
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection Moderate
CVE-2026-47122 was published for github.com/sparkle-project/Sparkle (Swift) May 29, 2026
fg0x0 Credited to fg0x0
Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection Moderate
CVE-2026-45755 was published for symfony/mailtrap-mailer (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois and unknownhad unknownhad unknownhad
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection Moderate
CVE-2026-45754 was published for symfony/lox24-notifier (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois, nicolas-grekas, and unknownhad nicolas-grekas nicolas-grekas
unknownhad unknownhad
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication Moderate
GHSA-9v4j-7g44-qcqw was published for github.com/xyproto/algernon (Go) May 19, 2026
Dredsen Credited to Dredsen
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass Moderate
CVE-2026-45577 was published for neotoma (npm) May 18, 2026
AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA Moderate
CVE-2026-45610 was published for WWBN/AVideo (Composer) May 15, 2026
offset Credited to offset
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure Moderate
CVE-2026-45397 was published for open-webui (pip) May 14, 2026
0xRyuzak1 Credited to 0xRyuzak1
mem0 server lacks authentication and authorization controls for its memory creation API endpoint Moderate
CVE-2026-31245 was published for mem0ai (pip) May 12, 2026
mem0 server lacks authentication and authorization controls for its memory deletion API endpoint Moderate
CVE-2026-31241 was published for mem0ai (pip) May 12, 2026
Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation Moderate
GHSA-rgj7-vg8v-j4wr was published for github.com/lin-snow/ech0 (Go) May 7, 2026
VashuVats Credited to VashuVats
AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction Moderate
CVE-2026-43881 was published for wwbn/avideo (Composer) May 5, 2026
offset Credited to offset
Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection Moderate
CVE-2026-42303 was published for ethyca-fides (pip) May 5, 2026
RobertKeyser Credited to RobertKeyser and daveqnet daveqnet daveqnet
pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586) Moderate
CVE-2026-42312 was published for pyload-ng (pip) May 4, 2026
shmulc8 Credited to shmulc8
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials Moderate
GHSA-92jp-89mq-4374 was published for openclaw (npm) Apr 17, 2026
smaeljaish771 Credited to smaeljaish771 and KeenSecurityLab KeenSecurityLab KeenSecurityLab
Flowise: Unauthenticated Information Disclosure of OAuth Secrets (Cleartext) via GET Request Moderate
GHSA-6pcv-j4jx-m4vx was published for flowise (npm) Apr 16, 2026
berkdedekarginoglu Credited to berkdedekarginoglu
Temporal does not enforce authentication and authorization for the streaming AdminService/StreamWorkflowReplicationMessages endpoint Moderate
CVE-2026-5724 was published for go.temporal.io/server (Go) Apr 10, 2026
AVideo: Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php Moderate
CVE-2026-35450 was published for wwbn/avideo (Composer) Apr 4, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Signal K Server: Unauthenticated Source Priorities Manipulation Moderate
CVE-2026-33951 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints Moderate
CVE-2026-34732 was published for wwbn/avideo (Composer) Apr 1, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface Moderate
CVE-2026-34227 was published for github.com/bishopfox/sliver (Go) Mar 31, 2026
skoveit Credited to skoveit
@grackle-ai/powerline Runs Without Authentication by Default Moderate
GHSA-xq7h-vwjp-5vrh was published for @grackle-ai/powerline (npm) Mar 25, 2026
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations Moderate
CVE-2026-33159 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database