Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,196
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,483
Pub
12
RubyGems
992
Rust
1,186
Swift
51
Unreviewed advisories
All unreviewed
5,000+

476 advisories

Loading
JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker... High Unreviewed
CVE-2026-32294 was published Mar 17, 2026
The GL-iNet Comet (GL-RM1) KVM does not sufficiently verify the authenticity of uploaded firmware... High Unreviewed
CVE-2026-32290 was published Mar 17, 2026
ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack High
CVE-2026-28500 was published for onnx (pip) Mar 16, 2026
ZeroXJacks Credited to ZeroXJacks
HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not... Low Unreviewed
CVE-2025-52645 was published Mar 16, 2026
HCL AION is affected by a vulnerability where container base images are not properly... Moderate Unreviewed
CVE-2025-52638 was published Mar 16, 2026
PyJWT accepts unknown `crit` header extensions High
CVE-2026-32597 was published for PyJWT (pip) Mar 13, 2026
dmbs335 Credited to dmbs335
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Generic webhook channel trusts caller-supplied identity fields; allowlist is checked against untrusted payload data High
CVE-2026-32231 was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
Insufficient verification of data authenticity in Windows App Installer allows an unauthorized... Moderate Unreviewed
CVE-2026-23656 was published Mar 10, 2026
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding High
CVE-2026-30920 was published for @oneuptime/common (npm) Mar 9, 2026
maru1009 Credited to maru1009
A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg... Moderate Unreviewed
CVE-2026-3706 was published Mar 8, 2026
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation High
CVE-2026-30851 was published for github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy (Go) Mar 6, 2026
NucleiAv Credited to NucleiAv
OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes High
CVE-2026-30223 was published for github.com/OliveTin/OliveTin (Go) Mar 5, 2026
Zwique Credited to Zwique
Gogs: Cross-repository LFS object overwrite via missing content hash verification Critical
CVE-2026-25921 was published for gogs.io/gogs (Go) Mar 5, 2026
zjuchenyuan Credited to zjuchenyuan
Insufficient Verification of Data Authenticity, Improper Handling of Exceptional Conditions... High Unreviewed
CVE-2026-30798 was published Mar 5, 2026
OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity Low
GHSA-gcj7-r3hg-m7w6 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions Moderate
GHSA-2rgf-hm63-5qph was published for openclaw (npm) Mar 3, 2026
AnthonyDiSanti Credited to AnthonyDiSanti and vincentkoc vincentkoc vincentkoc
An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance... High Unreviewed
CVE-2025-63910 was published Mar 3, 2026
A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function... Moderate Unreviewed
CVE-2025-15598 was published Mar 3, 2026
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification... High Unreviewed
CVE-2026-2428 was published Feb 27, 2026
Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android... Moderate Unreviewed
CVE-2026-27510 was published Feb 26, 2026
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter Critical
CVE-2026-27804 was published for parse-server (npm) Feb 25, 2026
sebastianosrt Credited to sebastianosrt and mtrezza mtrezza mtrezza
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo High
CVE-2026-27700 was published for hono (npm) Feb 25, 2026
EdamAme-x Credited to EdamAme-x
A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function... Moderate Unreviewed
CVE-2026-2968 was published Feb 23, 2026
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu,... Moderate Unreviewed
CVE-2026-2385 was published Feb 22, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database