Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
42
GitHub Actions
43
Go
3,153
Maven
5,000+
npm
5,000+
NuGet
861
pip
4,451
Pub
12
RubyGems
991
Rust
1,179
Swift
50
Unreviewed advisories
All unreviewed
5,000+

11,972 advisories

Loading
Ella Core: AMF DoS via malformed PathSwitchRequest with empty NR security capability bitstrings Moderate
CVE-2026-32320 was published for github.com/ellanetworks/core (Go) Mar 12, 2026
p1-aji Credited to p1-aji
TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction Moderate
CVE-2026-29066 was published for @tinacms/cli (npm) Mar 12, 2026
alaeddine03 Credited to alaeddine03
ImageMagick: Specially crafted SVG leads to segmentation fault and generate trash files in "/tmp", possible to leverage DoS Moderate
CVE-2023-1289 was published for Magick.NET-Q16-AnyCPU (NuGet) Mar 12, 2026
Im10n Credited to Im10n
Hyperterse: Raw exposure of database statements in MCP search tool Moderate
CVE-2026-31841 was published for hyperterse (npm) Mar 12, 2026
@tinacms/graphql has a Path Traversal issue Moderate
CVE-2026-24125 was published for @tinacms/graphql (npm) Mar 12, 2026
Trix has a Stored XSS vulnerability through serialized attributes Moderate
GHSA-qmpg-8xg6-ph5q was published for action_text-trix (RubyGems) Mar 12, 2026
Tinyauth's OIDC authorization codes are not bound to client on token exchange Moderate
CVE-2026-32245 was published for github.com/steveiliop56/tinyauth (Go) Mar 12, 2026
e1024x Credited to e1024x
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
Parse Server has a SQL injection via query field name when using PostgreSQL Moderate
CVE-2026-32234 was published for parse-server (npm) Mar 12, 2026
0xkakash1 Credited to 0xkakash1 and mtrezza mtrezza mtrezza
@backstage/plugin-scaffolder-backend: Possible exposure of defaultEnvironment secrets using dry-run endpoint Moderate
CVE-2026-32237 was published for @backstage/plugin-scaffolder-backend (npm) Mar 12, 2026
@backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass Moderate
CVE-2026-32235 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
kora-lib: Token-2022 Transfer Fee Not Deducted During Payment Verification Moderate
GHSA-725g-w329-g7qr was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
kora-lib: Unrecognized Instruction Types Create Empty Stubs That Bypass Fee Payer Policy Moderate
GHSA-x442-m7cc-hr92 was published for kora-lib (Rust) Mar 12, 2026
solanabughunter-glitch Credited to solanabughunter-glitch
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts Moderate
CVE-2026-32106 was published for studiocms (npm) Mar 12, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings Moderate
CVE-2026-32104 was published for studiocms (npm) Mar 12, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation Moderate
CVE-2026-32103 was published for studiocms (npm) Mar 12, 2026
FilipeGaudard Credited to FilipeGaudard and Adammatthiesen Adammatthiesen Adammatthiesen
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page Moderate
CVE-2026-32230 was published for uptime-kuma (npm) Mar 12, 2026
kuranikaran Credited to kuranikaran
ha-mcp has XSS via Unescaped HTML in OAuth Consent Form Moderate
CVE-2026-32112 was published for ha-mcp (pip) Mar 12, 2026
yotampe-pluto Credited to yotampe-pluto and julienld julienld julienld
ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle Moderate
CVE-2026-32111 was published for ha-mcp (pip) Mar 12, 2026
yotampe-pluto Credited to yotampe-pluto and julienld julienld julienld
OpenClaw: /api/channels gateway-auth boundary bypass via path canonicalization mismatch Moderate
GHSA-8j2w-6fmm-m587 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers Moderate
GHSA-v8cg-4474-49v8 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty Moderate
GHSA-g7cr-9h7q-4qxq was published for openclaw (npm) Mar 12, 2026
zpbrent Credited to zpbrent
OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path Moderate
GHSA-vhwf-4x96-vqx2 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OpenClaw's system.run approvals did not bind mutable script operands across approval and execution Moderate
GHSA-8g75-q649-6pv6 was published for openclaw (npm) Mar 12, 2026
tdjackey Credited to tdjackey
OliveTin's email argument makes compliance harder, enables log injection Moderate
GHSA-xx6g-43w2-9g6g was published for github.com/OliveTin/OliveTin (Go) Mar 12, 2026
fg0x0 Credited to fg0x0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database