Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,253 advisories

Loading
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL Low
CVE-2026-33160 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR) Moderate
CVE-2026-33158 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information High
CVE-2026-32300 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check Moderate
CVE-2026-30886 was published for github.com/QuantumNous/new-api (Go) Mar 23, 2026
Mistz1 Credited to Mistz1 and Calcium-Ion Calcium-Ion Calcium-Ion
langflow has Unauthenticated IDOR on Image Downloads High
CVE-2026-33484 was published for langflow (pip) Mar 20, 2026
akshatgit Credited to akshatgit, abhinavagarwal07, and andifilhohub abhinavagarwal07 abhinavagarwal07
andifilhohub andifilhohub
Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments Moderate
CVE-2026-33313 was published for code.vikunja.io/api (Go) Mar 20, 2026
AVideo: IDOR - Any Admin Can Set Another User's Channel Password via setPassword.json.php Moderate
CVE-2026-33297 was published for wwbn/avideo (Composer) Mar 19, 2026
fg0x0 Credited to fg0x0
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows... Moderate Unreviewed
CVE-2025-32223 was published Mar 19, 2026
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V.... Moderate Unreviewed
CVE-2026-27397 was published Mar 19, 2026
File Browser has an Authorization Policy Bypass in Public Share Download Flow Moderate
CVE-2026-32761 was published for https://github.com/filebrowser/filebrowser (Go) Mar 18, 2026
Ahmad-jarwan Credited to Ahmad-jarwan and hacdias hacdias hacdias
Langflow is Missing Ownership Verification in API Key Deletion (IDOR) High
CVE-2026-33053 was published for langflow (pip) Mar 18, 2026
FaizanKolega Credited to FaizanKolega, kolega-ai-dev, andifilhohub, and erichare kolega-ai-dev kolega-ai-dev
andifilhohub andifilhohub erichare erichare
Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email) High
CVE-2026-4208 was published for ralffreit/mfa-email (Composer) Mar 17, 2026
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens Low
CVE-2026-32638 was published for studiocms (npm) Mar 16, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications Moderate
CVE-2026-2461 was published for github.com/mattermost/mattermost-plugin-boards (Go) Mar 16, 2026
Identity based authorization bypass vulnerability (IDOR) that allows an attacker to modify the... High Unreviewed
CVE-2026-3020 was published Mar 16, 2026
The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for... Moderate Unreviewed
CVE-2026-1883 was published Mar 16, 2026
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to... High Unreviewed
CVE-2026-1947 was published Mar 16, 2026
Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object... Critical Unreviewed
CVE-2017-20223 was published Mar 16, 2026
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows... High Unreviewed
CVE-2016-20033 was published Mar 16, 2026
A broken access control may allow an authenticated user to perform a horizontal privilege... High Unreviewed
CVE-2026-3999 was published Mar 13, 2026
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user... Moderate Unreviewed
CVE-2026-2888 was published Mar 13, 2026
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all... Moderate Unreviewed
CVE-2026-2879 was published Mar 13, 2026
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all... Moderate Unreviewed
CVE-2026-2257 was published Mar 13, 2026
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for... Moderate Unreviewed
CVE-2026-1704 was published Mar 13, 2026
OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions Moderate
GHSA-8jhh-jcqg-mj5p was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database