GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
407 advisories
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
Moderate
CVE-2026-33501
was published
for
wwbn/avideo
(Composer)
Mar 20, 2026
Statamic is missing authorization check on taxonomy term creation via fieldtype
Moderate
CVE-2026-33177
was published
for
statamic/cms
(Composer)
Mar 18, 2026
Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite
Moderate
CVE-2026-1217
was published
for
yoast/duplicate-post
(Composer)
Mar 18, 2026
Admidio is Missing Authorization on Forum Topic and Post Deletion
Moderate
CVE-2026-32818
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions
Moderate
GHSA-8jhh-jcqg-mj5p
was published
for
openclaw
(npm)
Mar 13, 2026
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Moderate
CVE-2026-32230
was published
for
uptime-kuma
(npm)
Mar 12, 2026
OneUptime has WhatsApp Resend Verification Authorization Bypass
Moderate
CVE-2026-30959
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Moderate
CVE-2026-30850
was published
for
parse-server
(npm)
Mar 9, 2026
AVideo has Unauthenticated IDOR - Playlist Information Disclosure
Moderate
CVE-2026-30885
was published
for
wwbn/avideo
(Composer)
Mar 7, 2026
OliveTin doesn't check view permission when returning dashboards
Moderate
CVE-2026-30233
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints
Moderate
CVE-2026-3351
was published
for
github.com/canonical/lxd
(Go)
Mar 4, 2026
OpenClaw: MS Teams fileConsent/invoke missing conversation binding allowed cross-conversation pending-upload consumption
Moderate
GHSA-j26j-7qc4-3mrf
was published
for
openclaw
(npm)
Mar 3, 2026
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access
Moderate
CVE-2026-29073
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 3, 2026
OpenClaw's andbox browser noVNC observer lacked VNC authentication
Moderate
GHSA-25gx-x37c-7pph
was published
for
openclaw
(npm)
Mar 3, 2026
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Moderate
CVE-2026-27638
was published
for
@actual-app/sync-server
(npm)
Feb 27, 2026
Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Moderate
CVE-2026-27457
was published
for
weblate
(pip)
Feb 26, 2026
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Moderate
CVE-2026-24004
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints
Moderate
CVE-2026-27111
was published
for
github.com/akuity/kargo
(Go)
Feb 19, 2026
ProTip!
Advisories are also available from the
GraphQL API