Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
86
GitHub Actions
54
Go
4,169
Maven
5,000+
npm
5,000+
NuGet
1,019
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,421
Swift
61
Unreviewed advisories
All unreviewed
5,000+

108 advisories

Loading
golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS High
CVE-2026-39829 was published for golang.org/x/crypto/ssh (Go) Jun 25, 2026
OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing High
CVE-2026-46560 was published for org.openidentityplatform.openam:openam-radius (Maven) Jun 25, 2026
wodzen Credited to wodzen
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing High
GHSA-h5x8-xp6m-x6q4 was published for @jhb.software/payload-cloudinary-plugin (npm) Jun 19, 2026
EQSTLab Credited to EQSTLab
CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages High
CVE-2026-54783 was published for CoreWCF.Primitives (NuGet) Jun 19, 2026
CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate High
CVE-2026-54774 was published for CoreWCF.Primitives (NuGet) Jun 19, 2026
PraisonAI: Webhook signature verification skipped (fail-open) when secret unset, allowing forged inbound webhooks (WhatsApp & Linear bots) High
GHSA-x92v-rpx6-p6cw was published for praisonai (pip) Jun 18, 2026
sour-exploit Credited to sour-exploit
PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing High
GHSA-fc26-m9pf-v56q was published for praisonai (pip) Jun 18, 2026
rexpository Credited to rexpository
Netty: Wrapping plain trust manager silently disables hostname verification High
CVE-2026-50010 was published for io.netty:netty-handler (Maven) Jun 15, 2026
PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed High
CVE-2026-48526 was published for pyjwt (pip) Jun 15, 2026
aradona91 Credited to aradona91
authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user High
CVE-2026-47201 was published for goauthentik.io (Go) May 29, 2026
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring High
CVE-2026-42462 was published for @fedify/fedify (npm) May 26, 2026
libcrux-ml-dsa: Signature Verification on AVX2 Platforms Mishandles Edge Case High
GHSA-fhvh-vw7h-9xf3 was published for libcrux-ml-dsa (Rust) May 19, 2026
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client High
CVE-2026-45575 was published for com.oviva.telematik:epa4all-client (Maven) May 15, 2026
snomi Credited to snomi and Volcore Volcore Volcore
bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass High
CVE-2026-44714 was published for org.bitcoinj:bitcoinj-core (Maven) May 8, 2026
jmecom Credited to jmecom, msgilligan, and schildbach msgilligan msgilligan
schildbach schildbach
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
awslabs/tough Delegated Roles have a Signature Threshold Bypass High
CVE-2026-6966 was published for tough (Rust) May 5, 2026
1seal Credited to 1seal and emilyalbini emilyalbini emilyalbini
Admidio Ignores SAML Signature Validation Result, Processes Forged AuthnRequests and LogoutRequests High
CVE-2026-41669 was published for admidio/admidio (Composer) Apr 29, 2026
offset Credited to offset
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths) High
CVE-2026-40070 was published for bsv-sdk (RubyGems) Apr 9, 2026
sgbett Credited to sgbett
jose vulnerable to untrusted JWK header key acceptance during signature verification High
CVE-2026-34240 was published for jose (Pub) Mar 31, 2026
splitline Credited to splitline
Zebra has a Consensus Failure due to Improper Verification of V5 Transactions High
CVE-2026-34377 was published for zebra-consensus (Rust) Mar 30, 2026
conradoplg Credited to conradoplg, mpguerra, and alchemydc mpguerra mpguerra
alchemydc alchemydc
Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured High
GHSA-vjqw-w5jr-g9w5 was published for openclaw (npm) Mar 29, 2026 withdrawn
Forge has signature forgery in Ed25519 due to missing S > L check High
CVE-2026-33895 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field High
CVE-2026-33894 was published for node-forge (npm) Mar 26, 2026
corbanvilla Credited to corbanvilla, dderpym, and soh3e dderpym dderpym
soh3e soh3e
libcrux has an Incorrect Check of Signer Response Norm During Verification High
GHSA-cp57-fq8g-qh6v was published for libcrux-ml-dsa (Rust) Mar 26, 2026
jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.setPublic High
CVE-2026-4600 was published for jsrsasign (npm) Mar 23, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database