Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,416
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

73 advisories

Loading
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering Critical
CVE-2026-35490 was published for changedetection.io (pip) Apr 6, 2026
axel-corsiez Credited to axel-corsiez
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation Critical
GHSA-g5cg-8x5w-7jpm was published for openclaw (npm) Apr 2, 2026
AntAISecurityLab Credited to AntAISecurityLab
PraisonAI Has Authentication Bypass via OAuthManager.validate_token() Critical
CVE-2026-34953 was published for praisonai (pip) Apr 1, 2026
YeranG30 Credited to YeranG30
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation Critical
CVE-2026-33579 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
parse-server has cloud function validator bypass via prototype chain traversal Critical
CVE-2026-34532 was published for parse-server (npm) Mar 31, 2026
mtrezza Credited to mtrezza and bugbunny-research bugbunny-research bugbunny-research
Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state Critical
GHSA-hh43-q692-2xmq was published for openclaw (npm) Mar 29, 2026 withdrawn
Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity Critical
GHSA-rwwx-25m7-ww73 was published for openclaw (npm) Mar 29, 2026 withdrawn
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect Critical
GHSA-fqw4-mph7-2vr8 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin Critical
GHSA-9hjh-fr4f-gxc4 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API Critical
CVE-2026-32767 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 16, 2026
iconnnjka Credited to iconnnjka
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter Critical
CVE-2026-30965 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Rancher has downstream cluster privilege escalation through cluster and project role template binding (CRTB/PRTB) Critical
CVE-2022-31247 was published for github.com/rancher/rancher (Go) Mar 3, 2026
OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway Critical
CVE-2026-28466 was published for openclaw (npm) Mar 2, 2026
222n5 Credited to 222n5
Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints Critical
CVE-2026-27112 was published for github.com/akuity/kargo (Go) Feb 19, 2026
b0b0haha Credited to b0b0haha, spingARbor, and krancour spingARbor spingARbor
krancour krancour
External Secrets Operator insecurely retrieves secrets through the getSecretKey templating function Critical
CVE-2026-22822 was published for github.com/external-secrets/external-secrets (Go) Jan 20, 2026
evrardjp Credited to evrardjp, budimanjojo, and gusfcarvalho budimanjojo budimanjojo
gusfcarvalho gusfcarvalho
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label Critical
CVE-2025-55205 was published for github.com/projectcapsule/capsule (Go) Aug 18, 2025
b0b0haha Credited to b0b0haha
XWiki Rendering is vulnerable to RCE attacks when processing nested macros Critical
CVE-2025-53836 was published for org.xwiki.rendering:xwiki-rendering-transformation-macro (Maven) Jul 14, 2025
renniepak Credited to renniepak
Teleport allows remote authentication bypass Critical
CVE-2025-49825 was published for github.com/gravitational/teleport (Go) Jun 16, 2025
Authorization Bypass in Next.js Middleware Critical
CVE-2025-29927 was published for next (npm) Mar 21, 2025
cold-try Credited to cold-try and Wenxin-Jiang Wenxin-Jiang Wenxin-Jiang
IDOR Vulnerabilities in ZITADEL's Admin API that Primarily Impact LDAP Configurations Critical
CVE-2025-27507 was published for github.com/zitadel/zitadel (Go) Mar 4, 2025
amit-laish Credited to amit-laish, livio-a, fforootd, and adlerhurst livio-a livio-a
fforootd fforootd adlerhurst adlerhurst
Improper Authorization vulnerability in Magento and Adobe Commerce Critical
CVE-2025-24434 was published for magento/community-edition (Composer) Feb 11, 2025
ihor-sviziev Credited to ihor-sviziev
XWiki allows remote code execution through the extension sheet Critical
CVE-2024-55662 was published for org.xwiki.platform:xwiki-platform-repository-server-ui (Maven) Dec 12, 2024
Liferay Portal and Liferay DXP Workflow Component Does Not Check User Permissions Critical
CVE-2024-38002 was published for com.liferay.portal:release.dxp.bom (Maven) Oct 22, 2024
Improper Authentication vulnerability in Apache Solr Critical
CVE-2024-45216 was published for org.apache.solr:solr (Maven) Oct 16, 2024
GoAuthentik vulnerable to Insufficient Authorization for several API endpoints Critical
CVE-2024-42490 was published for goauthentik.io (Go) Aug 22, 2024
m2a2 Credited to m2a2
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database