Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

494 advisories

Loading
Insufficient verification of data authenticity in Windows App Installer allows an unauthorized... Moderate Unreviewed
CVE-2026-23656 was published Mar 10, 2026
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg... Moderate Unreviewed
CVE-2026-3706 was published Mar 8, 2026
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes High
CVE-2026-30223 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
Gogs: Cross-repository LFS object overwrite via missing content hash verification Critical
CVE-2026-25921 was published for gogs.io/gogs (Go) Mar 5, 2026
zjuchenyuan Credited to zjuchenyuan
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions... High Unreviewed
CVE-2026-30798 was published Mar 5, 2026
OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity Low
GHSA-gcj7-r3hg-m7w6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions Moderate
CVE-2026-32029 was published for openclaw (npm) Mar 3, 2026
AnthonyDiSanti Credited to AnthonyDiSanti and vincentkoc vincentkoc vincentkoc
An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance... High Unreviewed
CVE-2025-63910 was published Mar 3, 2026
A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function... Moderate Unreviewed
CVE-2025-15598 was published Mar 3, 2026
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification... High Unreviewed
CVE-2026-2428 was published Feb 27, 2026
Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android... Moderate Unreviewed
CVE-2026-27510 was published Feb 26, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function... Moderate Unreviewed
CVE-2026-2968 was published Feb 23, 2026
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu,... Moderate Unreviewed
CVE-2026-2385 was published Feb 22, 2026
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login... Moderate Unreviewed
CVE-2025-14444 was published Feb 18, 2026
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker Credited to anbecker
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
CVE-2026-28454 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam Credited to XlabAITeam, tl2cents, keenanwgn, and A7um tl2cents tl2cents
keenanwgn keenanwgn A7um A7um
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows... Moderate Unreviewed
CVE-2026-21527 was published Feb 10, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database