Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,479
Maven
5,000+
npm
5,000+
NuGet
886
pip
4,740
Pub
13
RubyGems
1,031
Rust
1,225
Swift
53
Unreviewed advisories
All unreviewed
5,000+

383 advisories

Loading
next-intl has an open redirect vulnerability Moderate
GHSA-8f24-v5vv-gm5j was published for next-intl (npm) Apr 10, 2026
joniumGit Credited to joniumGit
Apache Tomcat has an Open Redirect vulnerability Moderate
CVE-2026-25854 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) Apr 9, 2026
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects High
GHSA-pg8g-f2hf-x82m was published for openclaw (npm) Apr 9, 2026 withdrawn
Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri High
GHSA-x3f4-v83f-7wp2 was published for github.com/authorizerdev/authorizer (Go) Apr 6, 2026
kodareef5 Credited to kodareef5
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow Moderate
CVE-2026-35410 was published for directus (npm) Apr 4, 2026
POV9en Credited to POV9en
Directus: Open Redirect in Admin 2FA Setup Page Moderate
CVE-2026-35411 was published for directus (npm) Apr 4, 2026
ComfortablyCoding Credited to ComfortablyCoding, Akokonunes, and neo-ai-engineer Akokonunes Akokonunes
neo-ai-engineer neo-ai-engineer
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow Moderate
CVE-2026-34083 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
JupyterHub has an Open Redirect Vulnerability Moderate
CVE-2026-33709 was published for jupyterhub (pip) Apr 3, 2026
RacerZ-fighting Credited to RacerZ-fighting and Fushuling Fushuling Fushuling
Casdoor vulnerable to Open Redirect Low
CVE-2026-5467 was published for github.com/casdoor/casdoor (Go) Apr 3, 2026
Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint High
CVE-2026-3872 was published for org.keycloak:keycloak-services (Maven) Apr 2, 2026
n8n: Authenticated XSS and Open Redirect via Form Node Moderate
GHSA-w673-8fjw-457c was published for n8n (npm) Mar 27, 2026
tCu0n9 Credited to tCu0n9
Statamic has an Open Redirect on unauthenticated endpoints via URL parsing differential Moderate
CVE-2026-33885 was published for statamic/cms (Composer) Mar 26, 2026
offset Credited to offset
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation Moderate
GHSA-fp4x-ggrf-wmc6 was published for h3 (npm) Mar 23, 2026
offset Credited to offset
Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR Moderate
CVE-2026-33397 was published for @angular/ssr (npm) Mar 19, 2026
VenkatKwest Credited to VenkatKwest, alan-agius4, securityMB, josephperrott, and AndrewKushnir alan-agius4 alan-agius4
securityMB securityMB josephperrott josephperrott AndrewKushnir AndrewKushnir
AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php Low
CVE-2026-33296 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass Moderate
CVE-2026-32235 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects Moderate
GHSA-vhj5-x93p-67jw was published for actix-web-lab (Rust) Mar 11, 2026
Sylius has an Open Redirect via Referer Header Moderate
CVE-2026-31819 was published for sylius/sylius (Composer) Mar 11, 2026
bnBart Credited to bnBart
Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion High
CVE-2026-28512 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
ByamB4 Credited to ByamB4
django-allauth has an open redirect vulnerability Moderate
CVE-2026-27982 was published for django-allauth (pip) Mar 5, 2026
IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links High
CVE-2026-28681 was published for irrd (pip) Mar 4, 2026
BrookeYangRui Credited to BrookeYangRui
Products.isurlinportal has possible open redirect when using more than 2 forward slashes Moderate
CVE-2026-28413 was published for Products.isurlinportal (pip) Mar 2, 2026
ale-rt Credited to ale-rt
Gradio has an Open Redirect in its OAuth Flow Moderate
CVE-2026-28415 was published for gradio (pip) Mar 1, 2026
logicx24 Credited to logicx24
Angular SSR has an Open Redirect via X-Forwarded-Prefix Moderate
CVE-2026-27738 was published for @angular/ssr (npm) Feb 25, 2026
alan-agius4 Credited to alan-agius4, josephperrott, securityMB, AndrewKushnir, dgp1130, and VenkatKwest josephperrott josephperrott
securityMB securityMB AndrewKushnir AndrewKushnir dgp1130 dgp1130 VenkatKwest VenkatKwest
Feathers has an open redirect in OAuth callback enables account takeover High
CVE-2026-27191 was published for @feathersjs/authentication-oauth (npm) Feb 19, 2026
vvxhid Credited to vvxhid and b0-n0-b0 b0-n0-b0 b0-n0-b0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database