Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
46
GitHub Actions
48
Go
3,376
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,570
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

4,002 advisories

Loading
File Browser's Signup Grants Execution Permissions When Default Permissions Includes Execution High
CVE-2026-34528 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 31, 2026
offset Credited to offset
OpenClaw: Gateway operator.write Can Reach Admin-Class Channel Allowlist Persistence via chat.send High
GHSA-94pw-c6m8-p9p9 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin Critical
GHSA-9hjh-fr4f-gxc4 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
Ella Core has Privilege Escalation via Database Restore by NetworkManager role High
CVE-2026-33906 was published for github.com/ellanetworks/core (Go) Mar 26, 2026
offset Credited to offset
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve Critical
GHSA-hf68-49fm-59cq was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in... High Unreviewed
CVE-2026-2931 was published Mar 26, 2026
Signify allows a remote attacker to escalate privileges via the signed_data.py and the context.py components High
CVE-2025-70887 was published for signify (pip) Mar 25, 2026
An issue in mtrojnar Osslsigncode affected at v2.10 and before allows a remote attacker to... Critical Unreviewed
CVE-2025-70888 was published Mar 25, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 26.4... Moderate Unreviewed
CVE-2026-28889 was published Mar 25, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS... Moderate Unreviewed
CVE-2026-20607 was published Mar 25, 2026
The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to... High Unreviewed
CVE-2026-4314 was published Mar 22, 2026
The Import and export users and customers plugin for WordPress is vulnerable to privilege... High Unreviewed
CVE-2026-3629 was published Mar 22, 2026
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is... Moderate Unreviewed
CVE-2026-2375 was published Mar 21, 2026
pyLoad SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration High
CVE-2026-33509 was published for pyload-ng (pip) Mar 20, 2026
offset Credited to offset
File Browser Signup Grants Admin When Default Permissions Include Admin Critical
CVE-2026-32760 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 16, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval High
GHSA-63f5-hhc7-cx6p was published for openclaw (npm) Mar 16, 2026
tdjackey Credited to tdjackey
OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes Critical
CVE-2026-22172 was published for openclaw (npm) Mar 13, 2026
LUOYEcode Credited to LUOYEcode
OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries High
GHSA-4w7m-58cg-cmff was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE Critical
GHSA-4jpw-hj22-2xmc was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
OpenClaw: Plugin subagent routes could bypass gateway authorization with synthetic admin scopes Critical
GHSA-xw77-45gv-p728 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts Moderate
CVE-2026-32106 was published for studiocms (npm) Mar 12, 2026
offset Credited to offset and Adammatthiesen Adammatthiesen Adammatthiesen
During an internal security assessment, a potential vulnerability was discovered in Lenovo PC... Moderate Unreviewed
CVE-2026-2640 was published Mar 11, 2026
Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Privilege... Moderate Unreviewed
CVE-2026-24510 was published Mar 11, 2026
Improper Privilege Management in certain Zoom Clients for Windows may allow an authenticated user... High Unreviewed
CVE-2026-30902 was published Mar 11, 2026
Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks High
CVE-2026-31834 was published for Umbraco.Cms (NuGet) Mar 11, 2026
odgrso Credited to odgrso
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database