Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
45
Go
3,227
Maven
5,000+
npm
5,000+
NuGet
864
pip
4,502
Pub
12
RubyGems
995
Rust
1,187
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,895 advisories

Loading
Mattermost fails to properly restrict the access of files attached to posts Low
CVE-2024-23488 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 29, 2024
OpenClaw's runtime /debug override path accepted prototype-reserved keys Low
CVE-2026-27524 was published for openclaw (npm) Mar 3, 2026
tdjackey Credited to tdjackey
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens Low
CVE-2026-32638 was published for studiocms (npm) Mar 16, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
Parse Server has a password reset token single-use bypass via concurrent requests Low
CVE-2026-32943 was published for parse-server (npm) Mar 17, 2026
fancymalware Credited to fancymalware and mtrezza mtrezza mtrezza
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload Low
CVE-2026-33221 was published for github.com/nhost/nhost (Go) Mar 18, 2026
0xkakash1 Credited to 0xkakash1
mo has a XSS via inline SVG script tags in Markdown rendering Low
GHSA-vccx-p757-pv6h was published for github.com/k1LoW/mo (Go) Mar 18, 2026
yagihash Credited to yagihash
Improper detection of disallowed URIs by Loofah `allowed_uri?` Low
GHSA-46fp-8f5p-pf2m was published for loofah (RubyGems) Mar 18, 2026
Broken Access Control in extension "Redirect Tab" (redirect_tab) Low
CVE-2026-4202 was published for ayacoo/redirect-tab (Composer) Mar 17, 2026
Rack Header Parsing leads to Possible Denial of Service Vulnerability Low
CVE-2024-26146 was published for rack (RubyGems) Feb 28, 2024
SValkanov Credited to SValkanov
NPM IP package incorrectly identifies some private IP addresses as public Low
CVE-2023-42282 was published for ip (npm) Feb 8, 2024
G-Rath Credited to G-Rath, levpachmanov, dotboris, and iFreilicht levpachmanov levpachmanov
dotboris dotboris iFreilicht iFreilicht
ASA-2024-004: Default configuration param for Evidence may limit window of validity Low
GHSA-555p-m4v6-cqxv was published for github.com/cometbft/cometbft (Go) Feb 28, 2024
Rack has possible DoS Vulnerability with Range Header Low
CVE-2024-26141 was published for rack (RubyGems) Feb 28, 2024
ooooooo-q Credited to ooooooo-q
Undici proxy-authorization header not cleared on cross-origin redirect in fetch Low
CVE-2024-24758 was published for undici (npm) Feb 16, 2024
T1m0n0 Credited to T1m0n0 and mcollina mcollina mcollina
astral-tokio-tar insufficiently validates PAX extensions during extraction Low
CVE-2026-32766 was published for astral-tokio-tar (Rust) Mar 17, 2026
woodruffw Credited to woodruffw and xokdvium xokdvium xokdvium
Next.js: null origin can bypass dev HMR websocket CSRF checks Low
CVE-2026-27977 was published for next (npm) Mar 17, 2026
radu33 Credited to radu33 and xdavidhu xdavidhu xdavidhu
ASA-2024-005: Potential slashing evasion during re-delegation Low
GHSA-86h5-xcpx-cfqc was published for github.com/cosmos/cosmos-sdk (Go) Feb 27, 2024
langchain Server-Side Request Forgery vulnerability Low
CVE-2024-0243 was published for langchain (pip) Feb 26, 2024
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability Low
CVE-2026-32266 was published for craftcms/google-cloud (Composer) Mar 16, 2026
Stored XSS in Memray-generated HTML reports via unescaped command-line metadata Low
CVE-2026-32722 was published for memray (pip) Mar 16, 2026
0xmrma Credited to 0xmrma
XSS in @leanprover/unicode-input-component Low
CVE-2026-32732 was published for @leanprover/unicode-input-component (npm) Mar 16, 2026
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback Low
CVE-2026-27448 was published for pyopenssl (pip) Mar 16, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
stefanprodan Credited to stefanprodan
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens` Low
CVE-2024-27088 was published for es5-ext (npm) Feb 26, 2024
GAP-dev Credited to GAP-dev and SCH227 SCH227 SCH227
Race condition in Endorsements Low
CVE-2023-47634 was published for decidim (RubyGems) Feb 20, 2024
microstudi Credited to microstudi, alecslupu, and andreslucena alecslupu alecslupu
andreslucena andreslucena
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database