Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,410
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,645
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

491 advisories

Loading
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
GHSA-9jpj-g8vv-j5mf was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
Electron: Service worker can spoof executeJavaScript IPC replies Moderate
CVE-2026-34778 was published for electron (npm) Apr 3, 2026
An issue in the firmware update mechanism of Qianniao QN-L23PA0904 v20250721.1640 allows... Moderate Unreviewed
CVE-2026-30603 was published Apr 2, 2026
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
mppx has multiple payment bypass and griefing vulnerabilities Critical
GHSA-8x4m-qw58-3pcx was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution Moderate
GHSA-rvqr-hrcc-j9vv was published for openclaw (npm) Mar 26, 2026
nexrin Credited to nexrin
OpenFGA has an Authorization Bypass through cached keys Moderate
CVE-2026-33729 was published for github.com/openfga/openfga (Go) Mar 26, 2026
justincoh Credited to justincoh and saad-h1 saad-h1 saad-h1
A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file... Moderate Unreviewed
CVE-2026-4115 was published Mar 22, 2026
A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the... Low Unreviewed
CVE-2026-4541 was published Mar 22, 2026
A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This... High Unreviewed
CVE-2026-4478 was published Mar 20, 2026
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
OneUptime WhatsApp Webhook Missing Signature Verification High
CVE-2026-33143 was published for oneuptime (npm) Mar 18, 2026
n0rv-TvT Credited to n0rv-TvT
JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker... High Unreviewed
CVE-2026-32294 was published Mar 17, 2026
The GL-iNet Comet (GL-RM1) KVM does not sufficiently verify the authenticity of uploaded firmware... High Unreviewed
CVE-2026-32290 was published Mar 17, 2026
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack High
CVE-2026-28500 was published for onnx (pip) Mar 16, 2026
ZeroXJacks Credited to ZeroXJacks
HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not... Low Unreviewed
CVE-2025-52645 was published Mar 16, 2026
HCL AION is affected by a vulnerability where container base images are not properly... Moderate Unreviewed
CVE-2025-52638 was published Mar 16, 2026
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data High
CVE-2026-32231 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
Insufficient verification of data authenticity in Windows App Installer allows an unauthorized... Moderate Unreviewed
CVE-2026-23656 was published Mar 10, 2026
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg... Moderate Unreviewed
CVE-2026-3706 was published Mar 8, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database