GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,789 advisories
Authlib JWS JWK Header Injection: Signature Verification Bypass
Critical
CVE-2026-27962
was published
for
authlib
(pip)
Mar 16, 2026
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
GHSA-rmpj-3x5m-9m5f
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Critical
CVE-2026-32767
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Critical
CVE-2026-32301
was published
for
github.com/centrifugal/centrifugo/v6
(Go)
Mar 13, 2026
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
Locutus vulnerable to RCE via unsanitized input in create_function()
Critical
CVE-2026-32304
was published
for
locutus
(npm)
Mar 13, 2026
SandboxJS affected by a Sandbox Escape
Critical
CVE-2026-26954
was published
for
@nyariv/sandboxjs
(npm)
Mar 13, 2026
SM9 Infinity-Point Ciphertext Forgery Vulnerability
Critical
CVE-2026-32614
was published
for
github.com/emmansun/gmsm
(Go)
Mar 13, 2026
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Critical
CVE-2026-31886
was published
for
github.com/dagu-org/dagu
(Go)
Mar 13, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Critical
CVE-2026-25534
was published
for
io.spinnaker.clouddriver:clouddriver-artifacts
(Maven)
Mar 16, 2026
SAML authentication bypass due to missing validation on unsigned SAML messages
Critical
GHSA-hx5q-v6pj-533r
was published
for
com.linecorp.centraldogma:centraldogma-server-auth-saml
(Maven)
Feb 26, 2024
Armeria SAML authentication bypass due to missing validation on unsigned SAML messages
Critical
CVE-2024-1735
was published
for
com.linecorp.armeria:armeria-saml
(Maven)
Feb 26, 2024
Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
Critical
CVE-2024-25124
was published
for
github.com/gofiber/fiber/v2
(Go)
Feb 22, 2024
Apache James server: Privilege escalation via JMX pre-authentication deserialization
Critical
CVE-2023-51518
was published
for
org.apache.james:james-server
(Maven)
Feb 27, 2024
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
Critical
CVE-2024-27133
was published
for
mlflow
(pip)
Feb 24, 2024
Katello uses hard coded credential
Critical
CVE-2012-3503
was published
for
katello
(RubyGems)
May 17, 2022
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Critical
GHSA-rqpp-rjj8-7wv8
was published
for
openclaw
(npm)
Mar 13, 2026
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Critical
CVE-2026-32621
was published
for
@apollo/federation-internals
(npm)
Mar 13, 2026
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
Critical
GHSA-4jpw-hj22-2xmc
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Critical
GHSA-xw77-45gv-p728
was published
for
openclaw
(npm)
Mar 13, 2026
ProTip!
Advisories are also available from the
GraphQL API