Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

12,022 advisories

Loading
Admidio is Missing Authorization on Forum Topic and Post Deletion Moderate
GHSA-g375-5wmp-xr78 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection Moderate
CVE-2026-32757 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint Moderate
CVE-2026-32812 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Protection on Role Membership Date Changes Moderate
CVE-2026-32755 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions Moderate
GHSA-wwg8-6ffr-h4q2 was published for admidio/admidio (Composer) Mar 16, 2026
restriction Credited to restriction
Permissive List of Allowed Inputs in ewe Moderate
GHSA-9w88-79f8-m3vp was published for ewe (Erlang) Mar 16, 2026
jtdowney Credited to jtdowney
Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration Moderate
GHSA-j94x-8wcp-x7hm was published for github.com/akuity/kargo (Go) Mar 16, 2026
maru1009 Credited to maru1009 and krancour krancour krancour
File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter Moderate
CVE-2026-32758 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
iconnnjka Credited to iconnnjka and hacdias hacdias hacdias
SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Moderate
GHSA-v3mg-9v85-fcm7 was published for siyuan (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely Moderate
CVE-2026-32759 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
OpenClaw session transcript files were created without forced user-only permissions Moderate
GHSA-vr7j-g7jv-h5mp was published for openclaw (npm) Mar 16, 2026
hsongkai11 Credited to hsongkai11
OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs Moderate
GHSA-xwcj-hwhf-h378 was published for openclaw (npm) Mar 16, 2026
space08 Credited to space08
SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Moderate
CVE-2026-32751 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes Moderate
CVE-2026-32750 was published for github.com/siyuan-note/siyuan (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure Moderate
GHSA-xp2m-98x8-rpj6 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
0xkakash1 Credited to 0xkakash1
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets Moderate
CVE-2026-32747 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
fg0x0 Credited to fg0x0
Amazon S3 for Craft CMS has an Information Disclosure vulnerability Moderate
CVE-2026-32265 was published for craftcms/aws-s3 (Composer) Mar 16, 2026
Neosprings Credited to Neosprings
Craft CMS has a Path Traversal Vulnerability in AssetsController Moderate
CVE-2026-32262 was published for craftcms/cms (Composer) Mar 16, 2026
SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers Moderate
CVE-2026-32723 was published for @nyariv/sandboxjs (npm) Mar 16, 2026
Zwique Credited to Zwique, Lumb3, Ved235, BlguunBN, Och1r1, and b34rn00b Lumb3 Lumb3
Ved235 Ved235 BlguunBN BlguunBN Och1r1 Och1r1 b34rn00b b34rn00b
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding Moderate
CVE-2026-32632 was published for Glances (pip) Mar 16, 2026
restriction Credited to restriction
LeafKit's HTML escaping may be skipped for Collection values, enabling XSS Moderate
CVE-2026-28499 was published for leaf-kit (Swift) Mar 16, 2026
iCMDdev Credited to iCMDdev, gwynne, and 0xTim gwynne gwynne
0xTim 0xTim
Apache Livy: Restrict file access Moderate
CVE-2025-60012 was published for org.apache.livy:livy-server (Maven) Mar 13, 2026
Apache Livy: Unauthorized directory access Moderate
CVE-2025-66249 was published for org.apache.livy:livy-server (Maven) Mar 13, 2026
fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE` Moderate
GHSA-5cxw-w2xg-2m8h was published for fickling (pip) Mar 13, 2026
mldangelo Credited to mldangelo
fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist Moderate
GHSA-r48f-3986-4f9c was published for fickling (pip) Mar 13, 2026
fg0x0 Credited to fg0x0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database