Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

28,101 advisories

Loading
OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts` Moderate
GHSA-3298-56p6-rpw2 was published for openclaw (npm) Mar 30, 2026
YLChen-007 Credited to YLChen-007
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page High
CVE-2026-34375 was published for wwbn/avideo (Composer) Mar 30, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
Sulu checks fix permissions for subentities endpoints Moderate
CVE-2026-34372 was published for sulu/sulu (Composer) Mar 30, 2026
sh4dowalker Credited to sh4dowalker
AVideo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification Moderate
CVE-2026-34369 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance Moderate
CVE-2026-34368 was published for wwbn/avideo (Composer) Mar 30, 2026
AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php Moderate
CVE-2026-34364 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
LiveQuery protected field leak via shared mutable state across concurrent subscribers High
CVE-2026-34363 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() Moderate
CVE-2026-34362 was published for wwbn/avideo (Composer) Mar 30, 2026
offset Credited to offset
MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) Moderate
CVE-2026-34237 was published for io.modelcontextprotocol.sdk:mcp-core (Maven) Mar 30, 2026
srikanthramu Credited to srikanthramu
FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft Critical
CVE-2026-34361 was published for ca.uhn.hapi.fhir:org.hl7.fhir.validation (Maven) Mar 30, 2026
offset Credited to offset
FHIR Validator: Unauthenticated Blind SSRF via /loadIG Endpoint Enables Internal Network Probing Moderate
CVE-2026-34360 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
Slippers Vulnerable to Cross-Site Scripting (XSS) in `attrs` Template Tag Moderate
CVE-2026-34231 was published for slippers (pip) Mar 30, 2026
evansd Credited to evansd
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
go-git: Maliciously crafted idx file can cause asymmetric memory consumption Moderate
CVE-2026-34165 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node Critical
CVE-2026-34156 was published for @nocobase/plugin-workflow-javascript (npm) Mar 30, 2026
onurcangnc Credited to onurcangnc
Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF) Moderate
CVE-2026-33990 was published for github.com/docker/model-runner (Go) Mar 30, 2026
davidrxchester Credited to davidrxchester
@tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files High
CVE-2026-33949 was published for @tinacms/graphql (npm) Mar 30, 2026
aarjubh Credited to aarjubh
go-git missing validation decoding Index v4 files leads to panic Low
CVE-2026-33762 was published for github.com/go-git/go-git/v5 (Go) Mar 30, 2026
kq5y Credited to kq5y
Glances Vulnerable to Command Injection via Dynamic Configuration Values High
CVE-2026-33641 was published for Glances (pip) Mar 30, 2026
mith36 Credited to mith36
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard High
CVE-2026-33533 was published for Glances (pip) Mar 30, 2026
tanishqshah2 Credited to tanishqshah2
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover Critical
CVE-2026-33032 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
yotampe-pluto Credited to yotampe-pluto
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys High
CVE-2026-33030 was published for github.com/0xJacky/nginx-ui (Go) Mar 30, 2026
f1veT Credited to f1veT
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval Moderate
CVE-2026-33029 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse High
CVE-2026-33028 was published for github.com/0xJacky/Nginx-UI (Go) Mar 30, 2026
dapickle Credited to dapickle
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database