GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
91
GitHub Actions
54
Go
4,194
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,102
Rust
1,422
Swift
61
Unreviewed advisories
All unreviewed
5,000+
30 advisories
Filter by severity
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
Low
CVE-2026-55670
was published
for
github.com/zitadel/zitadel
(Go)
Jun 18, 2026
PhoenixStorybook has cross-session PubSub topic injection via URL parameter
Low
CVE-2026-47068
was published
for
phoenix_storybook
(Erlang)
Jun 9, 2026
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
Low
CVE-2026-47716
was published
for
bugsink
(pip)
Jun 5, 2026
Bugsink: Issue event views can show an event from another project if its UUID is known
Low
CVE-2026-47715
was published
for
bugsink
(pip)
Jun 5, 2026
NocoDB: Missing Ownership Check in MCP Attachment Read
Low
CVE-2026-47388
was published
for
nocodb
(npm)
Jun 5, 2026
Concrete CMS is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog
Low
CVE-2026-8347
was published
for
concrete5/concrete5
(Composer)
May 26, 2026
Concrete CMS is vulnerable to IDOR in AddMessage/UpdateMessage
Low
CVE-2026-7886
was published
for
concrete5/concrete5
(Composer)
May 22, 2026
Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID
Low
GHSA-9pm8-vwc5-w2hm
was published
for
fat_free_crm
(RubyGems)
Apr 14, 2026
Temporal Server: attacker-controlled namespace could signal, delete, and reset workflows or activities in a victim namespace on the same cluster
Low
CVE-2026-5199
was published
for
go.temporal.io/server
(Go)
Apr 1, 2026
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Low
CVE-2026-35617
was published
for
openclaw
(npm)
Mar 29, 2026
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Low
CVE-2026-29071
was published
for
open-webui
(pip)
Mar 27, 2026
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens
Low
CVE-2026-35624
was published
for
openclaw
(npm)
Mar 26, 2026
Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
Low
GHSA-44px-qjjc-xrhq
was published
for
craftcms/cms
(Composer)
Mar 26, 2026
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
Low
CVE-2026-33160
was published
for
craftcms/cms
(Composer)
Mar 24, 2026
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Low
CVE-2026-32638
was published
for
studiocms
(npm)
Mar 16, 2026
Keycloak vulnerable to authorization bypass via the Admin API
Low
CVE-2026-2366
was published
for
@keycloak/keycloak-admin-client
(Maven)
Mar 12, 2026
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
Low
CVE-2026-27838
was published
for
wger
(pip)
Feb 26, 2026
Chainlit contains an authorization bypass vulnerability
Low
CVE-2025-68492
was published
for
chainlit
(pip)
Jan 14, 2026
pretix has Broken Access Control Allowing Cross-User File Access via UUID
Low
CVE-2025-14881
was published
for
pretix
(pip)
Dec 19, 2025
pretix has Broken Access Control Allowing Cross-User File Access via UUID
Low
CVE-2025-14882
was published
for
pretix
(pip)
Dec 19, 2025
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
Low
CVE-2025-12919
was published
for
@evershop/evershop
(npm)
Nov 9, 2025
Skuul School Management System has an Insecure Direct Object Reference (IDOR) Vulnerability in View Fee Invoice
Low
CVE-2025-12918
was published
for
yungifez/skuul
(Composer)
Nov 9, 2025
Mattermost boards plugin fails to restrict download access to files
Low
CVE-2025-9081
was published
for
github.com/mattermost/mattermost-plugin-boards
(Go)
Sep 19, 2025
xxl-job Vulnerable to Resource Injection and Authorization Bypass Through User-Controlled Key
Low
CVE-2025-9263
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Aug 21, 2025
xxl-job Jobs Handler remove function allows improper control of resource identifiers via ID parameter
Low
CVE-2025-9264
was published
for
com.xuxueli:xxl-job-admin
(Maven)
Aug 21, 2025
ProTip!
Advisories are also available from the
GraphQL API