Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
44
GitHub Actions
43
Go
3,181
Maven
5,000+
npm
5,000+
NuGet
863
pip
4,474
Pub
12
RubyGems
991
Rust
1,185
Swift
51
Unreviewed advisories
All unreviewed
5,000+

1,888 advisories

Loading
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags Low
GHSA-4685-c5cp-vp95 was published for openclaw (npm) Feb 19, 2026
nedlir Credited to nedlir
Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability Low
CVE-2026-32266 was published for craftcms/google-cloud (Composer) Mar 16, 2026
Stored XSS in Memray-generated HTML reports via unescaped command-line metadata Low
CVE-2026-32722 was published for memray (pip) Mar 16, 2026
0xmrma Credited to 0xmrma
XSS in @leanprover/unicode-input-component Low
CVE-2026-32732 was published for @leanprover/unicode-input-component (npm) Mar 16, 2026
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens Low
CVE-2026-32638 was published for studiocms (npm) Mar 16, 2026
restriction Credited to restriction and Adammatthiesen Adammatthiesen Adammatthiesen
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback Low
CVE-2026-27448 was published for pyopenssl (pip) Mar 16, 2026
Podinfo affected by Arbitrary File Upload that leads to Stored Cross-Site Scripting (XSS) Low
CVE-2025-70849 was published for github.com/stefanprodan/podinfo (Go) Feb 3, 2026
stefanprodan Credited to stefanprodan
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens` Low
CVE-2024-27088 was published for es5-ext (npm) Feb 26, 2024
GAP-dev Credited to GAP-dev and SCH227 SCH227 SCH227
Race condition in Endorsements Low
CVE-2023-47634 was published for decidim (RubyGems) Feb 20, 2024
microstudi Credited to microstudi, alecslupu, and andreslucena alecslupu alecslupu
andreslucena andreslucena
Duplicate Advisory: Keycloak DoS via account lockout Low
GHSA-3hrr-xwvg-hxvr was published for org.keycloak:keycloak-core (Maven) Feb 29, 2024 withdrawn
codespearhead Credited to codespearhead
Mattermost race condition Low
CVE-2024-1949 was published for github.com/mattermost/mattermost/server/v8 (Go) Feb 29, 2024
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning Low
GHSA-q926-c743-49qj was published for github.com/centrifugal/centrifugo/v6 (Go) Mar 13, 2026
VarshankNaik Credited to VarshankNaik
OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode Low
GHSA-qvr7-g57c-mrc7 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch Low
CVE-2026-32236 was published for @backstage/plugin-auth-backend (npm) Mar 12, 2026
Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties Low
GHSA-mwv9-gp5h-frr4 was published for devalue (npm) Mar 12, 2026
elliott-with-the-longest-name-on-github Credited to elliott-with-the-longest-name-on-github, KarimPwnz, wim-vercel, and mattiasljungstrom KarimPwnz KarimPwnz
wim-vercel wim-vercel mattiasljungstrom mattiasljungstrom
Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity Low
CVE-2026-31873 was published for unhead (npm) Mar 12, 2026
simonkoeck Credited to simonkoeck
Keycloak vulnerable to authorization bypass via the Admin API Low
CVE-2026-2366 was published for @keycloak/keycloak-admin-client (Maven) Mar 12, 2026
@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure Low
CVE-2026-3965 was published for @whyour/qinglong (npm) Mar 12, 2026
Keycloak: Information disclosure of disabled user attributes via administrative endpoint Low
CVE-2026-3911 was published for org.keycloak:keycloak-services (Maven) Mar 11, 2026
Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html` Low
CVE-2026-32109 was published for copyparty (pip) Mar 12, 2026
thesanjok Credited to thesanjok
Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access Low
CVE-2026-32108 was published for copyparty (pip) Mar 12, 2026
thesanjok Credited to thesanjok
Vaadin: Specially crafted ZIP archives can escape the intended extraction directory Low
CVE-2026-2741 was published for com.vaadin:flow-project (Maven) Mar 10, 2026
Anytype Heart's gRPC API client challenge verification can be bypassed on localhost Low
CVE-2026-31863 was published for github.com/anyproto/anytype-cli (Go) Mar 11, 2026
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page Low
GHSA-g3hp-vvqf-8vw6 was published for craftcms/cms (Composer) Mar 11, 2026
mHe4am Credited to mHe4am
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table Low
CVE-2026-29173 was published for craftcms/commerce (Composer) Mar 10, 2026
mHe4am Credited to mHe4am
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database