GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
581 advisories
Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability
High
CVE-2026-32268
was published
for
craftcms/azure-blob
(Composer)
Mar 16, 2026
Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite
Moderate
CVE-2026-1217
was published
for
yoast/duplicate-post
(Composer)
Mar 18, 2026
In Soft Serve, an authenticated repo import can clone server-local private repositories
High
CVE-2026-33353
was published
for
github.com/charmbracelet/soft-serve
(Go)
Mar 19, 2026
Admidio is Missing Authorization on Forum Topic and Post Deletion
Moderate
CVE-2026-32818
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
CVE-2026-32817
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
Statamic is missing authorization check on taxonomy term creation via fieldtype
Moderate
CVE-2026-33177
was published
for
statamic/cms
(Composer)
Mar 18, 2026
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Critical
GHSA-rqpp-rjj8-7wv8
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions
Moderate
GHSA-8jhh-jcqg-mj5p
was published
for
openclaw
(npm)
Mar 13, 2026
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Moderate
CVE-2026-32230
was published
for
uptime-kuma
(npm)
Mar 12, 2026
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
High
CVE-2026-31800
was published
for
parse-server
(npm)
Mar 11, 2026
OneUptime has WhatsApp Resend Verification Authorization Bypass
Moderate
CVE-2026-30959
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover
Critical
CVE-2026-30956
was published
for
@oneuptime/common
(npm)
Mar 10, 2026
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
High
CVE-2026-30920
was published
for
@oneuptime/common
(npm)
Mar 9, 2026
AVideo has Unauthenticated IDOR - Playlist Information Disclosure
Moderate
CVE-2026-30885
was published
for
wwbn/avideo
(Composer)
Mar 7, 2026
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren
High
CVE-2026-30926
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 9, 2026
Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Moderate
CVE-2026-24004
was published
for
github.com/fleetdm/fleet/v4
(Go)
Feb 26, 2026
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Moderate
CVE-2026-30850
was published
for
parse-server
(npm)
Mar 9, 2026
Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration
High
CVE-2026-30823
was published
for
flowise
(npm)
Mar 6, 2026
OliveTin doesn't check view permission when returning dashboards
Moderate
CVE-2026-30233
was published
for
github.com/OliveTin/OliveTin
(Go)
Mar 5, 2026
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access
Moderate
CVE-2026-29073
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 3, 2026
ProTip!
Advisories are also available from the
GraphQL API