Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,656
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

3,264 advisories

Loading
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering Critical
CVE-2026-35490 was published for changedetection.io (pip) Apr 6, 2026
axel-corsiez Credited to axel-corsiez
pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509) High
CVE-2026-35464 was published for pyload-ng (pip) Apr 4, 2026
kodareef5 Credited to kodareef5
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries High
CVE-2026-35442 was published for directus (npm) Apr 4, 2026
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite High
CVE-2026-35412 was published for directus (npm) Apr 4, 2026
bugbunny-research Credited to bugbunny-research
LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint High
CVE-2026-35029 was published for litellm (pip) Apr 3, 2026
Juju has a resource poisoning vulnerability High
CVE-2025-68153 was published for github.com/juju/juju (Go) Apr 3, 2026
tlm Credited to tlm
Juju: Read All Controller Logs From Compromised Workload Moderate
CVE-2025-68152 was published for github.com/juju/juju (Go) Apr 3, 2026
tlm Credited to tlm
OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message Moderate
GHSA-6336-qqw9-v6x6 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist Moderate
GHSA-rvvf-6vh3-9j43 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection High
GHSA-h5hg-h7rr-gpf3 was published for openclaw (npm) Apr 3, 2026
smaeljaish771 Credited to smaeljaish771
OpenClaw: Discord voice manager bypasses channel-level member access allowlist Moderate
GHSA-cqgw-44wg-44rf was published for openclaw (npm) Apr 3, 2026
zsxsoft Credited to zsxsoft and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch High
GHSA-gjm7-hw8f-73rq was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode High
GHSA-g374-mggx-p6xc was published for openclaw (npm) Apr 3, 2026
north-echo Credited to north-echo
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md High
GHSA-xj9w-5r6q-x6v4 was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges... Critical Unreviewed
CVE-2026-32213 was published Apr 3, 2026
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to... Critical Unreviewed
CVE-2026-33105 was published Apr 3, 2026
Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose... High Unreviewed
CVE-2026-32173 was published Apr 3, 2026
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API Low
GHSA-chfm-xgc4-47rj was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Matrix thread root and reply context bypass sender allowlist Low
GHSA-rg8m-3943-vm6q was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Feishu thread history and quoted messages bypass sender allowlist Moderate
GHSA-877v-w3f5-3pcq was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Critical
GHSA-g5cg-8x5w-7jpm was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
PraisonAI Has Authentication Bypass via OAuthManager.validate_token() Critical
CVE-2026-34953 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
openssl-encrypt has CORS wildcard with allow_credentials=True in standalone servers Moderate
GHSA-c65f-x25w-62jv was published for openssl-encrypt (pip) Apr 1, 2026
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This... High Unreviewed
CVE-2025-71278 was published Apr 1, 2026
OpenClaw gateway exec allow-always over-trusts positional carrier executables High
GHSA-p4x4-2r7f-wjxg was published for openclaw (npm) Apr 1, 2026
nexrin Credited to nexrin
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database