Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

587 advisories

Loading
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion Critical
CVE-2026-32817 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing Authorization on Forum Topic and Post Deletion Moderate
CVE-2026-32818 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
CVE-2026-22172 was published for openclaw (npm) Mar 13, 2026
LUOYEcode Credited to LUOYEcode
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin Moderate
CVE-2026-33501 was published for wwbn/avideo (Composer) Mar 20, 2026
restriction Credited to restriction
Ory Oathkeeper has an authentication bypass by usage of untrusted header Moderate
CVE-2026-33495 was published for github.com/ory/oathkeeper (Go) Mar 20, 2026
etcd: Authorization bypasses in multiple APIs High
CVE-2026-33413 was published for go.etcd.io/etcd (Go) Mar 20, 2026
manizada Credited to manizada
langflow has Unauthenticated IDOR on Image Downloads High
CVE-2026-33484 was published for langflow (pip) Mar 20, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, and andifilhohub abhinavagarwal07 abhinavagarwal07
andifilhohub andifilhohub
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement High
CVE-2026-33316 was published for code.vikunja.io/api (Go) Mar 20, 2026
VashuVats Credited to VashuVats
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
GHSA-x49q-fhhm-r9jf was published for openclaw (npm) Mar 20, 2026 withdrawn
In Soft Serve, an authenticated repo import can clone server-local private repositories High
CVE-2026-33353 was published for github.com/charmbracelet/soft-serve (Go) Mar 19, 2026
evnsh Credited to evnsh
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability High
CVE-2026-32268 was published for craftcms/azure-blob (Composer) Mar 16, 2026
Neosprings Credited to Neosprings
Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite Moderate
CVE-2026-1217 was published for yoast/duplicate-post (Composer) Mar 18, 2026
ictbeheer Credited to ictbeheer
Statamic is missing authorization check on taxonomy term creation via fieldtype Moderate
CVE-2026-33177 was published for statamic/cms (Composer) Mar 18, 2026
everythingBlackkk Credited to everythingBlackkk
Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization High
CVE-2026-30911 was published for apache-airflow (pip) Mar 17, 2026
Mattermost fails to filter invite IDs based on user permissions Moderate
CVE-2026-2463 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
Mattermost allows a removed team member to enumerate all public channels within a private team Moderate
CVE-2026-2458 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions Moderate
GHSA-8jhh-jcqg-mj5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page Moderate
CVE-2026-32230 was published for uptime-kuma (npm) Mar 12, 2026
kuranikaran Credited to kuranikaran
Sylius is Missing Authorization in API v2 Add Item Endpoint Moderate
CVE-2026-31821 was published for sylius/sylius (Composer) Mar 11, 2026
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes High
CVE-2026-31800 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
OneUptime has WhatsApp Resend Verification Authorization Bypass Moderate
CVE-2026-30959 was published for @oneuptime/common (npm) Mar 10, 2026
Aryma-f4 Credited to Aryma-f4
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover Critical
CVE-2026-30956 was published for @oneuptime/common (npm) Mar 10, 2026
Zwique Credited to Zwique
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
AVideo has Unauthenticated IDOR - Playlist Information Disclosure Moderate
CVE-2026-30885 was published for wwbn/avideo (Composer) Mar 7, 2026
Akokonunes Credited to Akokonunes and neo-ai-engineer neo-ai-engineer neo-ai-engineer
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren High
CVE-2026-30926 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 9, 2026
Zwique Credited to Zwique
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database