Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
46
Go
3,270
Maven
5,000+
npm
5,000+
NuGet
867
pip
4,517
Pub
12
RubyGems
998
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,589 advisories

Loading
AVideo has an unauthenticated decrypt oracle leaking any ciphertext High
GHSA-mwjc-5j4x-r686 was published for wwbn/avideo (Composer) Mar 20, 2026
Ahmad-jarwan Credited to Ahmad-jarwan
Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config High
CVE-2026-32305 was published for github.com/traefik/traefik (Go) Mar 20, 2026
InfinityHub123 Credited to InfinityHub123
Parse Server has an auth provider validation bypass on login via partial authData High
CVE-2026-33409 was published for parse-server (npm) Mar 19, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware High
CVE-2026-32730 was published for apostrophe (npm) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function... High Unreviewed
CVE-2026-4252 was published Mar 16, 2026
Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint High
CVE-2026-32246 was published for github.com/steveiliop56/tinyauth (Go) Mar 12, 2026
e1024x Credited to e1024x
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection High
CVE-2026-31975 was published for @siteboon/claude-code-ui (npm) Mar 11, 2026
Ethan-Yang-opcia Credited to Ethan-Yang-opcia, DhiyaneshGeek, and neo-ai-engineer DhiyaneshGeek DhiyaneshGeek
neo-ai-engineer neo-ai-engineer
Parse Server OAuth2 authentication adapter account takeover via identity spoofing High
CVE-2026-30967 was published for parse-server (npm) Mar 11, 2026
theinfosecguy Credited to theinfosecguy and mtrezza mtrezza mtrezza
Parse Server missing audience validation in Keycloak authentication adapter High
CVE-2026-30949 was published for parse-server (npm) Mar 11, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges... High Unreviewed
CVE-2026-26128 was published Mar 10, 2026
Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally. High Unreviewed
CVE-2026-26141 was published Mar 10, 2026
Improper authentication in Windows SMB Server allows an authorized attacker to elevate privileges... High Unreviewed
CVE-2026-24294 was published Mar 10, 2026
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes High
CVE-2026-30223 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
AVideo: Unauthenticated PHP session store exposed to host network via published memcached port High
CVE-2026-29093 was published for wwbn/avideo (Composer) Mar 5, 2026
bugbunny-research Credited to bugbunny-research
ZITADEL: Login V2 UI Policy Bypass Allows Unauthorized Self-Registration and Authentication High
CVE-2026-29193 was published for github.com/zitadel/zitadel (Go) Mar 4, 2026
amit-laish Credited to amit-laish and livio-a livio-a livio-a
Craft CMS has unauthenticated activation email trigger with potential user enumeration High
CVE-2026-29069 was published for craftcms/cms (Composer) Mar 4, 2026
rlarabee Credited to rlarabee and RajChowdhury240 RajChowdhury240 RajChowdhury240
OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay High
CVE-2026-28787 was published for @oneuptime/common (npm) Mar 2, 2026
dorakemon Credited to dorakemon
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass High
CVE-2026-27939 was published for statamic/cms (Composer) Feb 27, 2026
Mistz1 Credited to Mistz1
Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows... High Unreviewed
CVE-2025-71057 was published Feb 26, 2026
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has... High Unreviewed
CVE-2026-1368 was published Feb 18, 2026
Improper authentication in Windows Admin Center allows an authorized attacker to elevate... High Unreviewed
CVE-2026-26119 was published Feb 18, 2026
OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations High
CVE-2026-28465 was published for @clawdbot/voice-call (npm) Feb 17, 2026
0x5t Credited to 0x5t
A lack of session validation in the web API component of Shenzhen Zhibotong Electronics ZBT... High Unreviewed
CVE-2025-65127 was published Feb 11, 2026
Improper authentication in Windows Storage allows an authorized attacker to elevate privileges... High Unreviewed
CVE-2026-21508 was published Feb 10, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database