Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
47
Go
3,295
Maven
5,000+
npm
5,000+
NuGet
876
pip
4,524
Pub
12
RubyGems
1,008
Rust
1,194
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,913 advisories

Loading
Anytype Heart's gRPC API client challenge verification can be bypassed on localhost Low
CVE-2026-31863 was published for github.com/anyproto/anytype-cli (Go) Mar 11, 2026
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching Low
CVE-2026-4539 was published for Pygments (pip) Mar 22, 2026
Parse Server: MFA recovery code single-use bypass via concurrent requests Low
CVE-2026-33624 was published for parse-server (npm) Mar 24, 2026
mtrezza Credited to mtrezza and spbavarva spbavarva spbavarva
Duplicate Advisory: OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access Low
GHSA-vmvw-pwwf-cc2w was published for openclaw (NuGet) Mar 21, 2026 withdrawn
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows Low
GHSA-cjq8-m7wj-xmq9 was published for openclaw (npm) Mar 21, 2026 withdrawn
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
CVE-2026-32897 was published for openclaw (npm) Mar 3, 2026
Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback Low
GHSA-8mr2-f9wf-hcfq was published for openclaw (npm) Mar 21, 2026 withdrawn
Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users Low
CVE-2026-33161 was published for craftcms/cms (Composer) Mar 24, 2026
Susen2 Credited to Susen2
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL Low
CVE-2026-33160 was published for craftcms/cms (Composer) Mar 24, 2026
GCXWLP Credited to GCXWLP
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting Low
CVE-2026-33525 was published for github.com/authelia/authelia/v4 (Go) Mar 24, 2026
Apache Camel data exposure vulnerability Low
CVE-2024-22371 was published for org.apache.camel:camel-core (Maven) Feb 26, 2024
rsrikanth11 Credited to rsrikanth11
Vyper's `extract32` can ready dirty memory Low
CVE-2024-24564 was published for vyper (pip) Feb 26, 2024
trocher Credited to trocher
Concrete CMS vulnerable to stored XSS via the Role Name field Low
CVE-2024-1247 was published for concrete5/concrete5 (Composer) Feb 9, 2024
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature Low
CVE-2024-1246 was published for concrete5/concrete5 (Composer) Feb 9, 2024
Concrete CMS vulnerable to stored XSS in file tags and description attributes Low
CVE-2024-1245 was published for concrete5/concrete5 (Composer) Feb 9, 2024
MindSQL is vulnerable to Code Injection through its ask_db function Low
CVE-2026-4506 was published for mindsql (pip) Mar 21, 2026
Rails has a possible XSS vulnerability in its Action View tag helpers Low
CVE-2026-33168 was published for actionview (RubyGems) Mar 23, 2026
Rails has a possible XSS vulnerability in its Action Pack debug exceptions Low
CVE-2026-33167 was published for actionpack (RubyGems) Mar 23, 2026
Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch Low
CVE-2024-26142 was published for actionpack (RubyGems) Feb 27, 2024
SValkanov Credited to SValkanov, yoshizawa-masatoshi, and postmodern yoshizawa-masatoshi yoshizawa-masatoshi
postmodern postmodern
Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin Low
GHSA-68c2-4mpx-qh95 was published for @sentry/react-native (npm) Mar 1, 2024
Mattermost incorrectly allows access individual posts Low
CVE-2024-1952 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 29, 2024
etcd: Nested etcd transactions bypass RBAC authorization checks Low
CVE-2026-33343 was published for go.etcd.io/etcd (Go) Mar 20, 2026
Tulgaaaaaaaa Credited to Tulgaaaaaaaa
OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage Low
CVE-2026-31991 was published for openclaw (npm) Mar 2, 2026
tdjackey Credited to tdjackey
astral-tokio-tar insufficiently validates PAX extensions during extraction Low
CVE-2026-32766 was published for astral-tokio-tar (Rust) Mar 17, 2026
woodruffw Credited to woodruffw and xokdvium xokdvium xokdvium
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes Low
CVE-2026-33490 was published for h3 (npm) Mar 20, 2026
restriction Credited to restriction
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database