Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,417
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,658
Pub
13
RubyGems
1,027
Rust
1,211
Swift
53
Unreviewed advisories
All unreviewed
5,000+

57 advisories

Loading
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
CVE-2026-34511 was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
OneUptime WhatsApp Webhook Missing Signature Verification High
CVE-2026-33143 was published for oneuptime (npm) Mar 18, 2026
n0rv-TvT Credited to n0rv-TvT
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack High
CVE-2026-28500 was published for onnx (pip) Mar 16, 2026
ZeroXJacks Credited to ZeroXJacks
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data High
CVE-2026-32231 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes High
CVE-2026-30223 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker Credited to anbecker
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam Credited to XlabAITeam, tl2cents, keenanwgn, and A7um tl2cents tl2cents
keenanwgn keenanwgn A7um A7um
Rancher CLI SAML authentication is vulnerable to phishing attacks High
CVE-2024-58267 was published for github.com/rancher/rancher (Go) Sep 26, 2025
Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass) High
CVE-2025-59420 was published for authlib (pip) Sep 22, 2025
AL-Cybision Credited to AL-Cybision
@clerk/backend Performs Insufficient Verification of Data Authenticity High
CVE-2025-53548 was published for @clerk/astro (npm) Jul 9, 2025
GautierT Credited to GautierT
React Router allows pre-render data spoofing on React-Router framework mode High
CVE-2025-43865 was published for react-router (npm) Apr 24, 2025
cold-try Credited to cold-try and mhassan1 mhassan1 mhassan1
Vela Server Has Insufficient Webhook Payload Data Verification High
CVE-2025-27616 was published for github.com/go-vela/server (Go) Mar 10, 2025
CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts High
GHSA-r3r4-g7hq-pq4f was published for github.com/cometbft/cometbft (Go) Feb 3, 2025
unknownfeature Credited to unknownfeature
Laravel Reverb Missing API Signature Verification High
CVE-2024-50347 was published for laravel/reverb (Composer) Oct 31, 2024
RobertBoes Credited to RobertBoes
Gradio lacks integrity checking on the downloaded FRP client High
CVE-2024-47867 was published for gradio (pip) Oct 10, 2024
ahpaleus Credited to ahpaleus and Vasco-jofra Vasco-jofra Vasco-jofra
DNSJava DNSSEC Bypass High
CVE-2024-25638 was published for dnsjava:dnsjava (Maven) Jul 22, 2024
bellebaum Credited to bellebaum, schanzen, milux, and levpachmanov schanzen schanzen
milux milux levpachmanov levpachmanov
WildFly Elytron: OIDC app attempting to access the second tenant, the user should be prompted to log High
CVE-2023-6236 was published for org.wildfly.security:wildfly-elytron-http-oidc (Maven) Apr 10, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database