Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,143
Maven
5,000+
npm
5,000+
NuGet
840
pip
4,439
Pub
12
RubyGems
990
Rust
1,174
Swift
50
Unreviewed advisories
All unreviewed
5,000+

4,100 advisories

Loading
An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02... Low Unreviewed
CVE-2026-1524 was published Mar 11, 2026
A vulnerability has been identified in the web-based management interface of AOS-CX switches that... Critical Unreviewed
CVE-2026-23813 was published Mar 11, 2026
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection High
CVE-2026-31975 was published for @siteboon/claude-code-ui (npm) Mar 11, 2026
Ethan-Yang-opcia Credited to Ethan-Yang-opcia, DhiyaneshGeek, and neo-ai-engineer DhiyaneshGeek DhiyaneshGeek
neo-ai-engineer neo-ai-engineer
Parse Server OAuth2 authentication adapter account takeover via identity spoofing High
CVE-2026-30967 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server missing audience validation in Keycloak authentication adapter High
CVE-2026-30949 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Feathers has an OAuth Callback Account Takeover issue Critical
CVE-2026-29792 was published for @feathersjs/authentication-oauth (npm) Mar 10, 2026
sofianeelhor Credited to sofianeelhor
Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges... High Unreviewed
CVE-2026-26128 was published Mar 10, 2026
Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally. High Unreviewed
CVE-2026-26141 was published Mar 10, 2026
Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges... High Unreviewed
CVE-2026-24294 was published Mar 10, 2026
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up... Critical Unreviewed
CVE-2026-0953 was published Mar 10, 2026
Craft CMS has a potential information disclosure vulnerability in preview tokens Low
CVE-2026-29113 was published for craftcms/cms (Composer) Mar 10, 2026
singetu0096 Credited to singetu0096
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters Critical
CVE-2026-30863 was published for parse-server (npm) Mar 9, 2026
asukachloe Credited to asukachloe, mtrezza, and devanshbatham mtrezza mtrezza
devanshbatham devanshbatham
A vulnerability was identified in doramart DoraCMS 3.0.x. This issue affects some unknown... Moderate Unreviewed
CVE-2026-3794 was published Mar 9, 2026
A security flaw has been discovered in suitenumerique messages 0.2.0. This issue affects the... Moderate Unreviewed
CVE-2026-3739 was published Mar 8, 2026
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens Moderate
GHSA-9r75-g2cr-3h76 was published for @workflow/core (npm) Mar 6, 2026
pranaygp Credited to pranaygp, andresriancho, and TooTallNate andresriancho andresriancho
TooTallNate TooTallNate
EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface Moderate
GHSA-7rhv-h82h-vpjh was published for ec-cube/ec-cube (Composer) Mar 5, 2026
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes High
CVE-2026-30223 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port High
CVE-2026-29093 was published for wwbn/avideo (Composer) Mar 5, 2026
bugbunny-research Credited to bugbunny-research
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication High
CVE-2026-29193 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
Craft CMS has unauthenticated activation email trigger with potential user enumeration High
CVE-2026-29069 was published for craftcms/cms (Composer) Mar 4, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions... Critical Unreviewed
CVE-2026-3224 was published Mar 4, 2026
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains Moderate
GHSA-jmmg-jqc7-5qf4 was published for openclaw (npm) Mar 3, 2026
luz-oasis Credited to luz-oasis
OpenClaw has a Discord `allowFrom` slug-collision authorization bypass Moderate
GHSA-4cqv-h74h-93j4 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw's andbox browser noVNC observer lacked VNC authentication Moderate
GHSA-25gx-x37c-7pph was published for openclaw (npm) Mar 3, 2026
TerminalsandCoffee Credited to TerminalsandCoffee
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database