Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

494 advisories

Loading
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization Critical
CVE-2026-39324 was published for rack-session (RubyGems) Apr 8, 2026
sm1ee Credited to sm1ee, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php Moderate
CVE-2026-39366 was published for wwbn/avideo (Composer) Apr 8, 2026
offset Credited to offset
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
CVE-2026-34511 was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More... Moderate Unreviewed
CVE-2026-3177 was published Apr 7, 2026
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack High
CVE-2026-28500 was published for onnx (pip) Mar 16, 2026
ZeroXJacks Credited to ZeroXJacks
Electron: Service worker can spoof executeJavaScript IPC replies Moderate
CVE-2026-34778 was published for electron (npm) Apr 3, 2026
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows... Moderate Unreviewed
CVE-2026-30603 was published Apr 2, 2026
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
mppx has multiple payment bypass and griefing vulnerabilities Critical
GHSA-8x4m-qw58-3pcx was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
OpenFGA has an Authorization Bypass through cached keys Moderate
CVE-2026-33729 was published for github.com/openfga/openfga (Go) Mar 26, 2026
justincoh Credited to justincoh and saad-h1 saad-h1 saad-h1
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution Moderate
GHSA-rvqr-hrcc-j9vv was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions Moderate
CVE-2026-32029 was published for openclaw (npm) Mar 3, 2026
AnthonyDiSanti Credited to AnthonyDiSanti and vincentkoc vincentkoc vincentkoc
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
The GL-iNet Comet (GL-RM1) KVM does not sufficiently verify the authenticity of uploaded firmware... High Unreviewed
CVE-2026-32290 was published Mar 17, 2026
A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file... Moderate Unreviewed
CVE-2026-4115 was published Mar 22, 2026
A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the... Low Unreviewed
CVE-2026-4541 was published Mar 22, 2026
OneUptime WhatsApp Webhook Missing Signature Verification High
CVE-2026-33143 was published for oneuptime (npm) Mar 18, 2026
n0rv-TvT Credited to n0rv-TvT
A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This... High Unreviewed
CVE-2026-4478 was published Mar 20, 2026
Malformed Device Reset Locally Command Class packets can be sent to the controller, causing the... Moderate Unreviewed
CVE-2023-6533 was published Feb 21, 2024
JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker... High Unreviewed
CVE-2026-32294 was published Mar 17, 2026
HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not... Low Unreviewed
CVE-2025-52645 was published Mar 16, 2026
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg... Moderate Unreviewed
CVE-2026-3706 was published Mar 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database