Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
41
GitHub Actions
41
Go
3,080
Maven
5,000+
npm
4,980
NuGet
825
pip
4,417
Pub
12
RubyGems
988
Rust
1,162
Swift
50
Unreviewed advisories
All unreviewed
5,000+

11,835 advisories

Loading
Agentgateway is missing parameter sanitization in MCP to OpenAPI conversion Moderate
GHSA-v2x6-wwfw-r2rq was published for github.com/agentgateway/agentgateway (Go) Mar 5, 2026
eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write Moderate
CVE-2026-29780 was published for eml-parser (pip) Mar 5, 2026
redyank Credited to redyank
File Browser's TUS Delete Endpoint Bypasses Delete Permission Check Moderate
CVE-2026-29188 was published for github.com/filebrowser/filebrowser/v2 (Go) Mar 4, 2026
fg0x0 Credited to fg0x0 and hacdias hacdias hacdias
changedetection.io has Reflected XSS in its RSS Tag Error Response Moderate
CVE-2026-29038 was published for changedetection.io (pip) Mar 4, 2026
Akokonunes Credited to Akokonunes
Kimai's API invoice endpoint missing customer-level access control (IDOR) Moderate
CVE-2026-28685 was published for kimai/kimai (Composer) Mar 4, 2026
lxd's non-recursive certificate listing bypasses per-object authorization and leaks all fingerprints Moderate
CVE-2026-3351 was published for github.com/canonical/lxd (Go) Mar 4, 2026
bugbunny-research Credited to bugbunny-research
neqo-qpack has iInteger overflow in qpack dynamic table indexing Moderate
GHSA-6w86-wgwq-rgq8 was published for neqo-qpack (Rust) Mar 4, 2026
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher Moderate
CVE-2026-27898 was published for vaultwarden (Rust) Mar 4, 2026
odgrso Credited to odgrso and BlackDex BlackDex BlackDex
Vaultwarden has 2FA Bypass on Protected Actions due to Faulty Rate Limit Enforcement Moderate
CVE-2026-27801 was published for vaultwarden (Rust) Mar 4, 2026
d-xuan Credited to d-xuan, BlackDex, and dani-garcia BlackDex BlackDex
dani-garcia dani-garcia
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie() Moderate
CVE-2026-29086 was published for hono (npm) Mar 4, 2026
TarPeg007 Credited to TarPeg007
Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() Moderate
CVE-2026-29085 was published for hono (npm) Mar 4, 2026
TarPeg007 Credited to TarPeg007
OpenClaw: BlueBubbles (optional plugin) pairing/allowlist mismatch when allowFrom is empty Moderate
GHSA-jwf4-8wf4-jf2m was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection Moderate
GHSA-jjgj-cpp9-cvpv was published for openclaw (npm) Mar 4, 2026
NucleiAv Credited to NucleiAv
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images Moderate
GHSA-q6qf-4p5j-r25g was published for openclaw (npm) Mar 4, 2026
tdjackey Credited to tdjackey
OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard Moderate
GHSA-4rqq-w8v4-7p47 was published for openclaw (npm) Mar 4, 2026
princeeismond-dot Credited to princeeismond-dot
OpenClaw has agent avatar symlink traversal in gateway session metadata Moderate
GHSA-9mph-4f7v-fmvh was published for openclaw (npm) Mar 4, 2026
OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization Moderate
GHSA-f6h3-846h-2r8w was published for openclaw (npm) Mar 4, 2026
jiseoung Credited to jiseoung
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP Moderate
GHSA-8cp7-rp8r-mg77 was published for openclaw (npm) Mar 4, 2026
zpbrent Credited to zpbrent
CKEditor 5 has Cross-site Scripting (XSS) in the HTML Support package Moderate
CVE-2026-28343 was published for @ckeditor/ckeditor5-html-support (npm) Mar 4, 2026
Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS Moderate
CVE-2026-26998 was published for github.com/traefik/traefik/v2 (Go) Mar 4, 2026
sm1ee Credited to sm1ee
Apache ActiveMQ is Vulnerable to Integer Overflow or Wraparound Moderate
CVE-2025-66168 was published for org.apache.activemq:activemq-all (Maven) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3242 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3240 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3244 was published for concrete5/concrete5 (Composer) Mar 4, 2026
Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability Moderate
CVE-2026-3241 was published for concrete5/concrete5 (Composer) Mar 4, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database