Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

29,373 advisories

Loading
XenForo before 2.3.7 contains a security issue affecting Passkeys that have been added to user... Critical Unreviewed
CVE-2025-71279 was published Apr 1, 2026
CI4MS: Permissions Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34557 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS Critical
CVE-2026-34558 was published for ci4-cms-erp/ci4ms (Composer) Apr 1, 2026
bugmithlegend Credited to bugmithlegend and peeefour peeefour peeefour
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover Critical
GHSA-8rh7-6779-cjqq was published for openclaw (npm) Apr 1, 2026
tdjackey Credited to tdjackey
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides Critical
GHSA-j7p2-qcwm-94v4 was published for openclaw (npm) Mar 31, 2026
tdjackey Credited to tdjackey
parse-server has cloud function validator bypass via prototype chain traversal Critical
CVE-2026-34532 was published for parse-server (npm) Mar 31, 2026
mtrezza Credited to mtrezza and bugbunny-research bugbunny-research bugbunny-research
openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart Critical
GHSA-h45m-mgcp-q388 was published for openssl-encrypt (pip) Mar 31, 2026
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection Critical
CVE-2026-34449 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
sajdakabir Credited to sajdakabir
SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client Critical
CVE-2026-34448 was published for github.com/siyuan-note/siyuan/kernel (Go) Mar 31, 2026
ngocnn97 Credited to ngocnn97
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability Critical
CVE-2026-32871 was published for fastmcp (pip) Mar 31, 2026
Pr00fOf3xpl0it Credited to Pr00fOf3xpl0it and Jaynornj Jaynornj Jaynornj
SciTokens is vulnerable to SQL Injection in KeyCache Critical
CVE-2026-32714 was published for scitokens (pip) Mar 31, 2026
pmcao Credited to pmcao and djw8605 djw8605 djw8605
baserCMS has OS command injection vulnerability in installer Critical
CVE-2026-30880 was published for baserproject/basercms (Composer) Mar 31, 2026
baserCMS Update Functionality Vulnerable to OS Command Injection Critical
CVE-2026-30877 was published for baserproject/basercms (Composer) Mar 31, 2026
EricUeda Credited to EricUeda
baserCMS has OS Command Injection Leading to Remote Code Execution (RCE) Critical
CVE-2026-21861 was published for baserproject/basercms (Composer) Mar 31, 2026
kaminuma Credited to kaminuma
The MAVLink communication protocol does not require cryptographic authentication by default.... Critical Unreviewed
CVE-2026-1579 was published Mar 31, 2026
The MS27102A Remote Spectrum Monitor is vulnerable to an authentication bypass that allows... Critical Unreviewed
CVE-2026-3356 was published Mar 31, 2026
An arbitrary file overwrite vulnerability in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77... Critical Unreviewed
CVE-2026-30282 was published Mar 31, 2026
A command injection vulnerability exists in mlflow/mlflow when serving a model with ... Critical Unreviewed
CVE-2026-0596 was published Mar 31, 2026
OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage... Critical Unreviewed
CVE-2026-32917 was published Mar 31, 2026
OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where... Critical Unreviewed
CVE-2026-32916 was published Mar 31, 2026
SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly... Critical Unreviewed
CVE-2026-4317 was published Mar 31, 2026
Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret... Critical Unreviewed
CVE-2025-15618 was published Mar 31, 2026
Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password... Critical Unreviewed
CVE-2026-3106 was published Mar 31, 2026
Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password... Critical Unreviewed
CVE-2026-3107 was published Mar 31, 2026
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code... Critical Unreviewed
CVE-2026-3300 was published Mar 31, 2026
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database