GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
92
GitHub Actions
54
Go
4,217
Maven
5,000+
npm
5,000+
NuGet
1,021
pip
5,000+
Pub
13
RubyGems
1,103
Rust
1,443
Swift
61
Unreviewed advisories
All unreviewed
5,000+
361 advisories
Filter by severity
Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
High
CVE-2026-49981
was published
for
twig/twig
(Composer)
Jul 1, 2026
Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook
High
CVE-2026-49824
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook
High
CVE-2026-49823
was published
for
github.com/fission/fission
(Go)
Jun 30, 2026
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
High
CVE-2026-49473
was published
for
@cedar-policy/authorization-for-expressjs
(npm)
Jun 30, 2026
Blnk has an API key authorization bypass in owner and scope enforcement
High
GHSA-wcr3-9x4c-f5gj
was published
for
github.com/blnkfinance/blnk
(Go)
Jun 26, 2026
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
High
CVE-2026-46717
was published
for
github.com/nezhahq/nezha
(Go)
May 23, 2026
Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission
High
CVE-2026-48508
was published
for
lemur
(pip)
Jun 25, 2026
Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php
High
CVE-2026-8350
was published
for
concrete5/concrete5
(Composer)
May 21, 2026
LiteLLM allows a user to modify their own user_role via the /user/update endpoint
High
CVE-2026-47102
was published
for
litellm
(pip)
May 21, 2026
LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit
High
CVE-2026-47101
was published
for
litellm
(pip)
May 21, 2026
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
High
CVE-2026-48507
was published
for
snipe/snipe-it
(Composer)
Jun 23, 2026
Gogs's write-level collaborators can mutate admin-only repository settings via API
High
CVE-2026-52808
was published
for
gogs.io/gogs
(Go)
Jun 23, 2026
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)
High
GHSA-6gqw-jqv7-v88m
was published
for
stigmem-node
(pip)
Jun 19, 2026
stistigmem-node: quarantine review surface exposes and mutates other tenants' quarantined facts (cross-tenant BOLA)
High
GHSA-xhv3-q4xx-349r
was published
for
stigmem-node
(pip)
Jun 19, 2026
containerd CRI checkpoint restore CDI annotation smuggling
High
CVE-2026-53492
was published
for
github.com/containerd/containerd/v2
(Go)
Jun 19, 2026
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns
High
CVE-2026-53853
was published
for
openclaw
(npm)
Jun 18, 2026
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
High
CVE-2026-53855
was published
for
openclaw
(npm)
Jun 18, 2026
PraisonAI recipe workflow policy can be bypassed by declaring and YAML-approving dangerous tools outside TEMPLATE.yaml
High
GHSA-7qw2-w5rc-37x2
was published
for
praisonai
(pip)
Jun 18, 2026
npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining
High
GHSA-5jv7-2mjm-h6qj
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI AgentLoop onToolCall approval runs after tool execution
High
GHSA-h2w2-v7j6-xqm4
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining
High
GHSA-vjv9-7m7j-h833
was published
for
praisonai
(npm)
Jun 18, 2026
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
High
GHSA-4qq2-2j2x-x62c
was published
for
praisonai
(npm)
Jun 18, 2026
PraisonAI Code agent tools fail open without a workspace boundary
High
GHSA-gcq3-mfvh-3x25
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI: Compute-bridged file tools allow shell command injection
High
GHSA-w6h2-fr4q-xvxv
was published
for
praisonai
(pip)
Jun 18, 2026
PraisonAI recipe.run_stream skips dangerous-tool policy enforcement
High
GHSA-v847-hxxw-3pxg
was published
for
praisonai
(pip)
Jun 18, 2026
ProTip!
Advisories are also available from the
GraphQL API