Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,630
Maven
5,000+
npm
5,000+
NuGet
928
pip
4,850
Pub
13
RubyGems
1,045
Rust
1,301
Swift
53
Unreviewed advisories
All unreviewed
5,000+

943 advisories

Loading
A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the... Moderate Unreviewed
CVE-2026-4563 was published Mar 23, 2026
A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the... Low Unreviewed
CVE-2026-4549 was published Mar 22, 2026
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is... Moderate Unreviewed
CVE-2026-2294 was published Mar 21, 2026
Juju has unauthorized update of out-of-scope Vault secrets High
CVE-2026-32692 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
gRPC-Go has an authorization bypass via missing leading slash in :path Critical
CVE-2026-33186 was published for google.golang.org/grpc (Go) Mar 18, 2026
MariuszMaik Credited to MariuszMaik
The WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02) implements a broken authentication... Critical Unreviewed
CVE-2026-30702 was published Mar 18, 2026
Frigte has broken access control viewer user can delete admin and other users account High
CVE-2026-33125 was published for frigate (pip) Mar 18, 2026
czerlun Credited to czerlun
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an... Low Unreviewed
CVE-2026-3237 was published Mar 17, 2026
A security vulnerability has been detected in CodeGenieApp serverless-express up to 4.17.1.... Moderate Unreviewed
CVE-2026-4171 was published Mar 16, 2026
SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB Moderate
CVE-2026-32704 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 13, 2026
fg0x0 Credited to fg0x0
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces High
GHSA-r7vr-gr74-94p8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Feishu reaction events could bypass group authorization and mention gating Moderate
GHSA-m69h-jm2f-2pv8 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning Low
GHSA-q926-c743-49qj was published for github.com/centrifugal/centrifugo (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
CVE-2026-32916 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution Moderate
CVE-2026-32921 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OneUptime has WhatsApp Resend Verification Authorization Bypass Moderate
CVE-2026-30959 was published for @oneuptime/common (npm) Mar 10, 2026
Aryma-f4 Credited to Aryma-f4
OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover Critical
CVE-2026-30956 was published for @oneuptime/common (npm) Mar 10, 2026
Zwique Credited to Zwique
PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3` Moderate
CVE-2026-30870 was published for @powersync/service-core (npm) Mar 7, 2026
rkistner Credited to rkistner
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage Critical
CVE-2026-30869 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 7, 2026
Zwique Credited to Zwique
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator High
CVE-2026-3009 was published for org.keycloak:keycloak-services (Maven) Mar 5, 2026
Cross-Site Request Forgery (CSRF) vulnerability in rustdesk-client RustDesk Client rustdesk... Critical Unreviewed
CVE-2026-30793 was published Mar 5, 2026
Kimai's API invoice endpoint missing customer-level access control (IDOR) Moderate
CVE-2026-28685 was published for kimai/kimai (Composer) Mar 4, 2026
Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role High
CVE-2026-27803 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso
OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access Moderate
CVE-2026-32034 was published for openclaw (npm) Mar 3, 2026
Vasco0x4 Credited to Vasco0x4
OpenClaw DM pairing-store identities could satisfy group allowlist authorization High
CVE-2026-32027 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database