Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

603 advisories

Loading
Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code... Critical Unreviewed
CVE-2026-22679 was published Apr 7, 2026
A specific endpoint exposes all user account information for registered Gardyn users without... Critical Unreviewed
CVE-2026-28766 was published Apr 3, 2026
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization Critical
CVE-2026-0545 was published for mlflow (pip) Apr 3, 2026
Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker... Critical Unreviewed
CVE-2026-32211 was published Apr 3, 2026
HiOS Switch Platform contains a denial-of-service vulnerability in the web interface that allows... Critical Unreviewed
CVE-2025-15620 was published Apr 2, 2026
PraisonAI Has Missing Authentication in WebSocket Gateway Critical
CVE-2026-34952 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
The MAVLink communication protocol does not require cryptographic authentication by default.... Critical Unreviewed
CVE-2026-1579 was published Mar 31, 2026
The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows... Critical Unreviewed
CVE-2026-3356 was published Mar 31, 2026
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover Critical
CVE-2026-33032 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
yotampe-pluto Credited to yotampe-pluto
A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show... Critical Unreviewed
CVE-2026-2417 was published Mar 24, 2026
Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege... Critical Unreviewed
CVE-2019-25568 was published Mar 21, 2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform... Critical Unreviewed
CVE-2026-29796 was published Mar 21, 2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform... Critical Unreviewed
CVE-2026-25192 was published Mar 21, 2026
A missing authentication for critical function vulnerability has been reported to affect QVR Pro.... Critical Unreviewed
CVE-2026-22898 was published Mar 20, 2026
Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware (component: REST... Critical Unreviewed
CVE-2026-21992 was published Mar 20, 2026
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload... Critical Unreviewed
CVE-2026-32985 was published Mar 20, 2026
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint Critical
GHSA-wvr4-3wq4-gpc5 was published for mcp-bridge (npm) Mar 19, 2026
riczardo Credited to riczardo
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint Critical
CVE-2026-33017 was published for langflow (pip) Mar 17, 2026
Aviral2642 Credited to Aviral2642, andifilhohub, Jkavia, and srmish-jfrog andifilhohub andifilhohub
Jkavia Jkavia srmish-jfrog srmish-jfrog
The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including... Critical Unreviewed
CVE-2026-32297 was published Mar 17, 2026
GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability,... Critical Unreviewed
CVE-2026-4312 was published Mar 17, 2026
The Honeywell IQ4x building management controller, exposes its full web-based HMI without... Critical Unreviewed
CVE-2026-3611 was published Mar 12, 2026
Linkdave Missing Authentication on REST and WebSocket endpoints Critical
GHSA-xv8g-fj9h-6gmv was published for github.com/shi-gg/linkdave (Go) Mar 10, 2026
shi-gg Credited to shi-gg
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform... Critical Unreviewed
CVE-2026-26288 was published Mar 6, 2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform... Critical Unreviewed
CVE-2026-26051 was published Mar 6, 2026
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform... Critical Unreviewed
CVE-2026-22552 was published Mar 6, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database