GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
30 advisories
Filter by severity
Economizzer Insecure Direct Object Reference vulnerability
Low
CVE-2023-38872
was published
for
gugoan/economizzer
(Composer)
Sep 28, 2023
@strapi/plugin-content-manager leaks data via relations via the Admin Panel
Low
CVE-2024-29181
was published
for
@strapi/plugin-content-manager
(npm)
Jun 12, 2024
OpenSearch Observability does not properly restrict access to private tenant resources
Low
CVE-2024-39901
was published
for
org.opensearch.plugin:opensearch-observability
(Maven)
Jul 10, 2024
Grafana org admin can delete pending invites in different org
Low
CVE-2024-10452
was published
for
github.com/grafana/grafana
(Go)
Oct 29, 2024
Oqtane Framework Insecure Direct Object Reference vulnerability
Low
CVE-2024-55186
was published
for
Oqtane.Client
(NuGet)
Dec 20, 2024
xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key
Low
CVE-2025-9263
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Aug 21, 2025
xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter
Low
CVE-2025-9264
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Aug 21, 2025
Mattermost boards plugin fails to restrict download access to files
Low
CVE-2025-9081
was published
for
github.com/mattermost/mattermost-plugin-boards
(Go)
Sep 19, 2025
Skuul School Management System has an Insecure Direct Object Reference (IDOR) Vulnerability in View Fee Invoice
Low
CVE-2025-12918
was published
for
yungifez/skuul
(Composer)
Nov 9, 2025
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
Low
CVE-2025-12919
was published
for
@evershop/evershop
(npm)
Nov 9, 2025
pretix has Broken Access Control Allowing Cross-User File Access via UUID
Low
CVE-2025-14881
was published
for
pretix
(pip)
Dec 19, 2025
pretix has Broken Access Control Allowing Cross-User File Access via UUID
Low
CVE-2025-14882
was published
for
pretix
(pip)
Dec 19, 2025
Chainlit contains an authorization bypass vulnerability
Low
CVE-2025-68492
was published
for
chainlit
(pip)
Jan 14, 2026
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
Low
CVE-2026-27838
was published
for
wger
(pip)
Feb 26, 2026
Keycloak vulnerable to authorization bypass via the Admin API
Low
CVE-2026-2366
was published
for
@keycloak/keycloak-admin-client
(Maven)
Mar 12, 2026
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Low
CVE-2026-32638
was published
for
studiocms
(npm)
Mar 16, 2026
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
Low
CVE-2026-33160
was published
for
craftcms/cms
(Composer)
Mar 24, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
Low
GHSA-44px-qjjc-xrhq
was published
for
craftcms/cms
(Composer)
Mar 26, 2026
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
Low
CVE-2026-35624
was published
for
openclaw
(npm)
Mar 26, 2026
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Low
CVE-2026-29071
was published
for
open-webui
(pip)
Mar 27, 2026
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Low
CVE-2026-35617
was published
for
openclaw
(npm)
Mar 29, 2026
Temporal Server: attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster
Low
CVE-2026-5199
was published
for
go.temporal.io/server
(Go)
Apr 1, 2026
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID
Low
GHSA-9pm8-vwc5-w2hm
was published
for
fat_free_crm
(RubyGems)
Apr 14, 2026
Concrete CMS is vulnerable to IDOR in AddMessage/UpdateMessage
Low
CVE-2026-7886
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Concrete CMS is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog
Low
CVE-2026-8347
was published
for
concrete5/concrete5
(Composer)
May 26, 2026
ProTip!
Advisories are also available from the
GraphQL API