Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

202 advisories

Loading
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
CVE-2026-34511 was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack High
CVE-2026-28500 was published for onnx (pip) Mar 16, 2026
ZeroXJacks Credited to ZeroXJacks
The GL-iNet Comet (GL-RM1) KVM does not sufficiently verify the authenticity of uploaded firmware... High Unreviewed
CVE-2026-32290 was published Mar 17, 2026
OneUptime WhatsApp Webhook Missing Signature Verification High
CVE-2026-33143 was published for oneuptime (npm) Mar 18, 2026
n0rv-TvT Credited to n0rv-TvT
A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.1_20171024151200. This... High Unreviewed
CVE-2026-4478 was published Mar 20, 2026
JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker... High Unreviewed
CVE-2026-32294 was published Mar 17, 2026
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data High
CVE-2026-32231 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions... High Unreviewed
CVE-2026-30798 was published Mar 5, 2026
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes High
CVE-2026-30223 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
The recovery module has a vulnerability of bypassing the verification of an update package before... High Unreviewed
CVE-2022-37008 was published Aug 11, 2022
An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance... High Unreviewed
CVE-2025-63910 was published Mar 3, 2026
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification... High Unreviewed
CVE-2026-2428 was published Feb 27, 2026
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning High
CVE-2026-26327 was published for openclaw (npm) Feb 18, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass High
CVE-2026-25474 was published for openclaw (npm) Feb 17, 2026
yueyueL Credited to yueyueL
OpenClaw inter-session prompts could be treated as direct user instructions High
GHSA-w5c7-9qqw-6645 was published for openclaw (npm) Feb 18, 2026
anbecker Credited to anbecker
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport... High Unreviewed
CVE-2026-1642 was published Feb 4, 2026
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves High
CVE-2026-26007 was published for cryptography (pip) Feb 10, 2026
XlabAITeam Credited to XlabAITeam, tl2cents, keenanwgn, and A7um tl2cents tl2cents
keenanwgn keenanwgn A7um A7um
Duplicate Advisory: EVE Doesn't Protect Rootfs High
GHSA-x9mp-jm4h-jjf8 was published for github.com/lf-edge/eve/pkg/grub (Go) Sep 20, 2023 withdrawn
React Router allows pre-render data spoofing on React-Router framework mode High
CVE-2025-43865 was published for react-router (npm) Apr 24, 2025
cold-try Credited to cold-try and mhassan1 mhassan1 mhassan1
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database