GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
3,789 advisories
Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion
Critical
GHSA-rmpj-3x5m-9m5f
was published
for
admidio/admidio
(Composer)
Mar 16, 2026
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
Critical
CVE-2026-32767
was published
for
github.com/siyuan-note/siyuan/kernel
(Go)
Mar 16, 2026
File Browser Signup Grants Admin When Default Permissions Include Admin
Critical
CVE-2026-32760
was published
for
github.com/filebrowser/filebrowser/v2
(Go)
Mar 16, 2026
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Critical
CVE-2026-32633
was published
for
Glances
(pip)
Mar 16, 2026
Authlib JWS JWK Header Injection: Signature Verification Bypass
Critical
CVE-2026-27962
was published
for
authlib
(pip)
Mar 16, 2026
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Critical
CVE-2026-25534
was published
for
io.spinnaker.clouddriver:clouddriver-artifacts
(Maven)
Mar 16, 2026
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Critical
GHSA-rqpp-rjj8-7wv8
was published
for
openclaw
(npm)
Mar 13, 2026
Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
Critical
CVE-2026-32621
was published
for
@apollo/federation-internals
(npm)
Mar 13, 2026
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Critical
CVE-2026-32301
was published
for
github.com/centrifugal/centrifugo/v6
(Go)
Mar 13, 2026
OneUptime ClickHouse SQL Injection via Aggregate Query Parameters
Critical
CVE-2026-32306
was published
for
oneuptime
(npm)
Mar 13, 2026
Locutus vulnerable to RCE via unsanitized input in create_function()
Critical
CVE-2026-32304
was published
for
locutus
(npm)
Mar 13, 2026
SM9 Infinity-Point Ciphertext Forgery Vulnerability
Critical
CVE-2026-32614
was published
for
github.com/emmansun/gmsm
(Go)
Mar 13, 2026
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
Critical
GHSA-4jpw-hj22-2xmc
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes
Critical
GHSA-xw77-45gv-p728
was published
for
openclaw
(npm)
Mar 13, 2026
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Critical
CVE-2026-31886
was published
for
github.com/dagu-org/dagu
(Go)
Mar 13, 2026
SandboxJS affected by a Sandbox Escape
Critical
CVE-2026-26954
was published
for
@nyariv/sandboxjs
(npm)
Mar 13, 2026
TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
Critical
CVE-2026-28792
was published
for
@tinacms/cli
(npm)
Mar 12, 2026
Parse Server: Account takeover via operator injection in authentication data identifier
Critical
CVE-2026-32248
was published
for
parse-server
(npm)
Mar 12, 2026
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
Critical
CVE-2026-32242
was published
for
parse-server
(npm)
Mar 12, 2026
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Critical
CVE-2026-32136
was published
for
github.com/AdguardTeam/AdGuardHome
(Go)
Mar 12, 2026
Winter vulnerable to privilege escalation by authenticated backend users
Critical
CVE-2026-27591
was published
for
winter/wn-backend-module
(Composer)
Mar 12, 2026
xygeni-action v5 tag poisoned with C2 backdoor
Critical
CVE-2026-31976
was published
for
xygeni/xygeni-action
(GitHub Actions)
Mar 11, 2026
ProTip!
Advisories are also available from the
GraphQL API