Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,416
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

14 advisories

Loading
fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup) Critical
CVE-2026-35039 was published for fast-jwt (npm) Apr 3, 2026
fasrm Credited to fasrm and SociableSteve SociableSteve SociableSteve
mpp has multiple payment bypass and griefing vulnerabilities Critical
GHSA-fxc9-7j2w-vx54 was published for mpp (Rust) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
mppx has multiple payment bypass and griefing vulnerabilities Critical
GHSA-8x4m-qw58-3pcx was published for mppx (npm) Mar 29, 2026
samczsun Credited to samczsun and veria-labs veria-labs veria-labs
OpenClaw has a potential access-group authorization bypass if channel type lookup fails Critical
CVE-2026-28454 was published for openclaw (npm) Feb 17, 2026
simecek Credited to simecek and stanislavfortaisle stanislavfortaisle stanislavfortaisle
Gogs: Cross-repository LFS object overwrite via missing content hash verification Critical
CVE-2026-25921 was published for gogs.io/gogs (Go) Mar 5, 2026
zjuchenyuan Credited to zjuchenyuan
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
sm-crypto Affected by Private Key Recovery in SM2-PKE Critical
CVE-2026-23966 was published for sm-crypto (npm) Jan 21, 2026
XlabAITeam Credited to XlabAITeam, A7um, tl2cents, and keenanwgn A7um A7um
tl2cents tl2cents keenanwgn keenanwgn
cggmp21 has a missing check in the ZK proof used in CGGMP21 Critical
CVE-2025-66016 was published for cggmp21 (Rust) Nov 25, 2025
AstrBot is vulnerable to RCE with hard-coded JWT signing keys Critical
CVE-2025-55449 was published for astrbot (pip) Nov 14, 2025
Marven11 Credited to Marven11, Raven95676, and Soulter Raven95676 Raven95676
Soulter Soulter
Taylored webhook validation vulnerabilities Critical
GHSA-8g98-m4j9-qww5 was published for taylored (npm) Jun 18, 2025
Fabio allows HTTP clients to manipulate custom headers it adds Critical
CVE-2025-48865 was published for github.com/fabiolb/fabio (Go) May 29, 2025
47Cid Credited to 47Cid
Insufficient Verification of Data Authenticity in python-keystoneclient Critical
CVE-2013-2167 was published for python-keystoneclient (pip) Mar 10, 2020
HTTP client can manipulate custom HTTP headers that are added by Traefik Critical
CVE-2024-45410 was published for github.com/traefik/traefik (Go) Sep 19, 2024
drolmat Credited to drolmat
Prototype Pollution in defaults-deep Critical
CVE-2018-16486 was published for defaults-deep (npm) Feb 7, 2019
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database