Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,413
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,656
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

29,483 advisories

Loading
An issue was discovered in Mbed TLS through 3.6.5 and TF-PSA-Crypto 1.0.0. A buffer overflow can... Critical Unreviewed
CVE-2026-34875 was published Apr 1, 2026
An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup... Critical Unreviewed
CVE-2026-30643 was published Apr 1, 2026
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an... Critical Unreviewed
CVE-2026-20160 was published Apr 1, 2026
A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3... Critical Unreviewed
CVE-2024-43028 was published Apr 1, 2026
There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character... Critical Unreviewed
CVE-2024-40489 was published Apr 1, 2026
A vulnerability in the change password functionality of Cisco Integrated Management Controller ... Critical Unreviewed
CVE-2026-20093 was published Apr 1, 2026
TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig... Critical Unreviewed
CVE-2026-31027 was published Apr 1, 2026
Payload has Unvalidated Input in Password Recovery Endpoints Critical
CVE-2026-34751 was published for @payloadcms/graphql (npm) Apr 1, 2026
wsk3r Credited to wsk3r
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection... Critical Unreviewed
CVE-2026-29014 was published Apr 1, 2026
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote... Critical Unreviewed
CVE-2026-5288 was published Apr 1, 2026
Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker... Critical Unreviewed
CVE-2026-5290 was published Apr 1, 2026
Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker... Critical Unreviewed
CVE-2026-5289 was published Apr 1, 2026
The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's... Critical Unreviewed
CVE-2025-15484 was published Apr 1, 2026
XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user... Critical Unreviewed
CVE-2025-71279 was published Apr 1, 2026
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34557 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34558 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover Critical
GHSA-8rh7-6779-cjqq was published for openclaw (npm) Apr 1, 2026
tdjackey Credited to tdjackey
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides Critical
GHSA-j7p2-qcwm-94v4 was published for openclaw (npm) Mar 31, 2026
tdjackey Credited to tdjackey
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation Critical
CVE-2026-33579 was published for openclaw (npm) Mar 31, 2026
AntAISecurityLab Credited to AntAISecurityLab
parse-server has cloud function validator bypass via prototype chain traversal Critical
CVE-2026-34532 was published for parse-server (npm) Mar 31, 2026
mtrezza Credited to mtrezza and bugbunny-research bugbunny-research bugbunny-research
openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart Critical
GHSA-h45m-mgcp-q388 was published for openssl-encrypt (pip) Mar 31, 2026
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection Critical
CVE-2026-34449 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
sajdakabir Credited to sajdakabir and zerotrail-ai zerotrail-ai zerotrail-ai
SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client Critical
CVE-2026-34448 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
ngocnn97 Credited to ngocnn97
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability Critical
CVE-2026-32871 was published for fastmcp (pip) Mar 31, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it and Jaynornj Jaynornj Jaynornj
SciTokens is vulnerable to SQL Injection in KeyCache Critical
CVE-2026-32714 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database