Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,426
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,670
Pub
13
RubyGems
1,029
Rust
1,212
Swift
53
Unreviewed advisories
All unreviewed
5,000+

273 advisories

Loading
Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys High
CVE-2026-29196 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Netmaker has Insufficient Authorization in Host Token Verification High
CVE-2026-29194 was published for github.com/gravitl/netmaker (Go) Mar 9, 2026
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange High
CVE-2026-28513 was published for github.com/pocket-id/pocket-id/backend (Go) Mar 9, 2026
dorakemon Credited to dorakemon
Flowise has Authorization Bypass via Spoofed x-request-from Header High
CVE-2026-30820 was published for flowise (npm) Mar 6, 2026
N3mes1s Credited to N3mes1s
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user High
CVE-2026-30229 was published for parse-server (npm) Mar 6, 2026
devanshbatham Credited to devanshbatham and mtrezza mtrezza mtrezza
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator High
CVE-2026-3009 was published for org.keycloak:keycloak-services (Maven) Mar 5, 2026
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction High
CVE-2026-29182 was published for parse-server (npm) Mar 5, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
Vaultwarden's Collection Management Operations Allowed Without `manage` Verification for Manager Role High
CVE-2026-27803 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso
Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager High
CVE-2026-27802 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso and BlackDex BlackDex BlackDex
@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware High
CVE-2026-29087 was published for @hono/node-server (npm) Mar 4, 2026
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows High
CVE-2026-32005 was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains High
CVE-2026-27566 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt High
GHSA-7ff8-xjh3-mgh6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's `tools.exec.safeBins` PATH-hijack allowed trojan binaries to bypass allowlist checks High
CVE-2026-32015 was published for openclaw (npm) Mar 3, 2026
jackhax Credited to jackhax
OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode High
CVE-2026-32059 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default) High
CVE-2026-32007 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw DM pairing-store identities could satisfy group allowlist authorization High
CVE-2026-32027 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection High
GHSA-qj22-xqjr-v83v was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy High
CVE-2026-32014 was published for openclaw (npm) Mar 3, 2026
76embiid21 Credited to 76embiid21
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments High
CVE-2026-22168 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
OliveTin has Unauthenticated Action Termination via KillAction When Guests Must Login High
CVE-2026-28790 was published for github.com/OliveTin/OliveTin (Go) Mar 2, 2026
kule500 Credited to kule500
Nest has a Fastify URL Encoding Middleware Bypass High
CVE-2026-2293 was published for @nestjs/platform-fastify (npm) Mar 2, 2026
Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass High
GHSA-7q64-3rg2-h9pf was published for @nestjs/platform-fastify (npm) Feb 27, 2026 withdrawn
WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level High
CVE-2026-27899 was published for github.com/h44z/wg-portal (Go) Feb 26, 2026
gregtuc Credited to gregtuc
RustFS: Missing Post Policy Validation leads to Arbitrary Object Write High
CVE-2026-27607 was published for rustfs (Rust) Feb 25, 2026
nikeee Credited to nikeee
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database