Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,148
Maven
5,000+
npm
5,000+
NuGet
859
pip
4,444
Pub
12
RubyGems
990
Rust
1,176
Swift
50
Unreviewed advisories
All unreviewed
5,000+

152,070 advisories

Loading
The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c... Moderate Unreviewed
CVE-2026-2987 was published Mar 12, 2026
A flaw was found in Libsoup. The server-side digest authentication implementation in the... Moderate Unreviewed
CVE-2026-3099 was published Mar 12, 2026
Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the... Moderate Unreviewed
CVE-2026-0809 was published Mar 12, 2026
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint Moderate
CVE-2026-32237 was published for @backstage/plugin-scaffolder-backend (npm) Mar 12, 2026
@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass Moderate
CVE-2026-32235 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification Moderate
GHSA-725g-w329-g7qr was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy Moderate
GHSA-x442-m7cc-hr92 was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts Moderate
CVE-2026-32106 was published for studiocms (npm) Mar 12, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings Moderate
CVE-2026-32104 was published for studiocms (npm) Mar 12, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation Moderate
CVE-2026-32103 was published for studiocms (npm) Mar 12, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page Moderate
CVE-2026-32230 was published for uptime-kuma (npm) Mar 12, 2026
kuranikaran Credited to kuranikaran
ha-mcp has XSS via Unescaped HTML in OAuth Consent Form Moderate
CVE-2026-32112 was published for ha-mcp (pip) Mar 12, 2026
yotampe-pluto Credited to yotampe-pluto and julienld julienld julienld
ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle Moderate
CVE-2026-32111 was published for ha-mcp (pip) Mar 12, 2026
yotampe-pluto Credited to yotampe-pluto and julienld julienld julienld
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch Moderate
GHSA-8j2w-6fmm-m587 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers Moderate
GHSA-v8cg-4474-49v8 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty Moderate
GHSA-g7cr-9h7q-4qxq was published for openclaw (npm) Mar 12, 2026
zpbrent Credited to zpbrent
OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path Moderate
GHSA-vhwf-4x96-vqx2 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution Moderate
GHSA-8g75-q649-6pv6 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OliveTin's email argument makes compliance harder, enables log injection Moderate
GHSA-xx6g-43w2-9g6g was published for github.com/OliveTin/OliveTin (Go) Mar 12, 2026
fg0x0 Credited to fg0x0
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause Moderate
CVE-2026-32098 was published for parse-server (npm) Mar 12, 2026
restriction Credited to restriction and mtrezza mtrezza mtrezza
ImageMagick has heap buffer overflow in WriteXWDImage due to CARD32 arithmetic overflow in bytes_per_line calculation Moderate
CVE-2026-30937 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 12, 2026
ylwango613 Credited to ylwango613
ImageMagick has Heap Buffer Overflow in WaveletDenoiseImage Moderate
CVE-2026-30936 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 12, 2026
Taardisaa Credited to Taardisaa
ImageMagick has Heap Buffer Over-Read in BilateralBlurImage Moderate
CVE-2026-30935 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 12, 2026
Taardisaa Credited to Taardisaa
ImageMagick has heap-based buffer overflow in UHDR encoder Moderate
CVE-2026-30931 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 12, 2026
linkeLi0421 Credited to linkeLi0421
devalue has prototype pollution in devalue.parse and devalue.unflatten Moderate
CVE-2026-30226 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, and jviide KarimPwnz KarimPwnz
jviide jviide
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database