Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

59 advisories

Loading
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
mppx has multiple payment bypass and griefing vulnerabilities Critical
GHSA-8x4m-qw58-3pcx was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
CVE-2026-28454 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Gogs: Cross-repository LFS object overwrite via missing content hash verification Critical
CVE-2026-25921 was published for gogs.io/gogs (Go) Mar 5, 2026
zjuchenyuan Credited to zjuchenyuan
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
sm-crypto Affected by Private Key Recovery in SM2-PKE Critical
CVE-2026-23966 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam Credited to XlabAITeam, A7um, tl2cents, and keenanwgn A7um A7um
tl2cents tl2cents keenanwgn keenanwgn
Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi... Critical Unreviewed
CVE-2025-15385 was published Jan 6, 2026
Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni... Critical Unreviewed
CVE-2025-66255 was published Nov 26, 2025
cggmp21 has a missing check in the ZK proof used in CGGMP21 Critical
CVE-2025-66016 was published for cggmp21 (Rust) Nov 25, 2025
AstrBot is vulnerable to RCE with hard-coded JWT signing keys Critical
CVE-2025-55449 was published for astrbot (pip) Nov 14, 2025
Marven11 Credited to Marven11, Raven95676, and Soulter Raven95676 Raven95676
Soulter Soulter
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.750 Application 20.0.1442... Critical Unreviewed
CVE-2025-27680 was published Mar 5, 2025
IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks... Critical Unreviewed
CVE-2025-27558 was published May 21, 2025
An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated... Critical Unreviewed
CVE-2022-26871 was published Mar 30, 2022
Thunderbird ignored paths when checking the validity of navigations in a frame. This... Critical Unreviewed
CVE-2025-8038 was published Jul 22, 2025
Taylored webhook validation vulnerabilities Critical
GHSA-8g98-m4j9-qww5 was published for taylored (npm) Jun 18, 2025
Fabio allows HTTP clients to manipulate custom headers it adds Critical
CVE-2025-48865 was published for github.com/fabiolb/fabio (Go) May 29, 2025
47Cid Credited to 47Cid
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server... Critical Unreviewed
CVE-2022-31813 was published Jun 10, 2022
RSFirewall tries to identify the original IP address by looking at different HTTP headers. A... Critical Unreviewed
CVE-2021-4226 was published Dec 15, 2022
Insufficient Verification of Data Authenticity vulnerability in Mitsubishi Electric Corporation... Critical Unreviewed
CVE-2023-4699 was published Nov 6, 2023
Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware... Critical Unreviewed
CVE-2023-28386 was published May 22, 2023
Affected devices beacon to eCharge cloud infrastructure asking if there are any command they... Critical Unreviewed
CVE-2024-11666 was published Nov 25, 2024
Insufficient Verification of Data Authenticity in python-keystoneclient Critical
CVE-2013-2167 was published for python-keystoneclient (pip) Mar 10, 2020
HTTP client can manipulate custom HTTP headers that are added by Traefik Critical
CVE-2024-45410 was published for github.com/traefik/traefik (Go) Sep 19, 2024
drolmat Credited to drolmat
The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not... Critical Unreviewed
CVE-2024-1554 was published Feb 20, 2024
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database