Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
50
GitHub Actions
50
Go
3,673
Maven
5,000+
npm
5,000+
NuGet
932
pip
4,894
Pub
13
RubyGems
1,051
Rust
1,315
Swift
53
Unreviewed advisories
All unreviewed
5,000+

320 advisories

Loading
Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic High
CVE-2026-42609 was published for getgrav/grav (Composer) May 5, 2026
AnhNg1410 Credited to AnhNg1410
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all... High Unreviewed
CVE-2026-2892 was published Apr 30, 2026
An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser... High Unreviewed
CVE-2026-5781 was published Apr 28, 2026
Vulnerability in the Oracle Financial Services Customer Screening product of Oracle Financial... High Unreviewed
CVE-2026-34320 was published Apr 21, 2026
free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions High
CVE-2026-40248 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions High
CVE-2026-40247 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions High
CVE-2026-40246 was published for github.com/free5gc/udr (Go) Apr 14, 2026
Giancannella Credited to Giancannella and FrancescoDAlterio FrancescoDAlterio FrancescoDAlterio
Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges... High Unreviewed
CVE-2026-27912 was published Apr 14, 2026
Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export High
GHSA-4h9q-p5j4-xvvh was published for github.com/lin-snow/ech0 (Go) Apr 10, 2026
threalwinky Credited to threalwinky
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView` High
CVE-2026-40259 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 10, 2026
ch1nhpd Credited to ch1nhpd
Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains... High Unreviewed
CVE-2017-20238 was published Apr 4, 2026
OpenClaw: Agentic Consent Bypass — LLM Agent Can Silently Disable Exec Approval via `config.patch` High
GHSA-v3qc-wrwx-j3pw was published for openclaw (npm) Apr 3, 2026
YLChen-007 Credited to YLChen-007
Parser Server's streaming file download bypasses afterFind file trigger authorization High
CVE-2026-34784 was published for parse-server (npm) Apr 1, 2026
offset Credited to offset and mtrezza mtrezza mtrezza
Open WebUI has Broken Access Control in Tool Valves High
CVE-2026-34222 was published for open-webui (pip) Apr 1, 2026
timoles Credited to timoles and sec-consult sec-consult sec-consult
SciTokens has an Authorization Bypass via Incorrect Scope Path Prefix Checking High
CVE-2026-32716 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) High
GHSA-46wh-3698-f2cx was published for github.com/traefik/traefik/v2 (Go) Mar 29, 2026
The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all... High Unreviewed
CVE-2026-4248 was published Mar 28, 2026
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation High
CVE-2026-33680 was published for code.vikunja.io/api (Go) Mar 25, 2026
offset Credited to offset
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect High
CVE-2026-33668 was published for code.vikunja.io/api (Go) Mar 25, 2026
An authentication issue was addressed with improved state management. This issue is fixed in iOS... High Unreviewed
CVE-2026-28865 was published Mar 25, 2026
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information High
CVE-2026-32300 was published for opensource-workshop/connect-cms (Composer) Mar 23, 2026
odgrso Credited to odgrso
Juju has unauthorized update of out-of-scope Vault secrets High
CVE-2026-32692 was published for github.com/juju/juju (Go) Mar 19, 2026
hpidcock Credited to hpidcock
Frigte has broken access control viewer user can delete admin and other users account High
CVE-2026-33125 was published for frigate (pip) Mar 18, 2026
czerlun Credited to czerlun
OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces High
GHSA-r7vr-gr74-94p8 was published for openclaw (npm) Mar 13, 2026
tdjackey Credited to tdjackey
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator High
CVE-2026-3009 was published for org.keycloak:keycloak-services (Maven) Mar 5, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database