Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
47
GitHub Actions
48
Go
3,378
Maven
5,000+
npm
5,000+
NuGet
881
pip
4,573
Pub
13
RubyGems
1,013
Rust
1,205
Swift
51
Unreviewed advisories
All unreviewed
5,000+

121,978 advisories

Loading
Addressed a potential insecure direct object reference (IDOR) vulnerability in the signing... High Unreviewed
CVE-2026-4947 was published Apr 1, 2026
IBM Storage Protect Server 8.2.0 IBM Storage Protect Plus Server is vulnerable to SQL injection.... High Unreviewed
CVE-2025-13855 was published Apr 1, 2026
Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional ... High Unreviewed
CVE-2026-4374 was published Apr 1, 2026
XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by... High Unreviewed
CVE-2025-71282 was published Apr 1, 2026
The application's update service, when checking for updates, loads certain system libraries from... High Unreviewed
CVE-2026-3775 was published Apr 1, 2026
XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This... High Unreviewed
CVE-2025-71278 was published Apr 1, 2026
The application's installer runs with elevated privileges but resolves system executables and... High Unreviewed
CVE-2026-3780 was published Apr 1, 2026
XenForo before 2.3.9 and before 2.2.18 allows remote code execution (RCE) by authenticated, but... High Unreviewed
CVE-2026-35056 was published Apr 1, 2026
XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose... High Unreviewed
CVE-2025-71281 was published Apr 1, 2026
The application's list box calculate array logic keeps stale references to page or form objects... High Unreviewed
CVE-2026-3779 was published Apr 1, 2026
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW,... High Unreviewed
CVE-2026-5214 was published Apr 1, 2026
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated) High
CVE-2026-34605 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
fg0x0 Credited to fg0x0
@tinacms/graphql's `FilesystemBridge` Path Validation Can Be Bypassed via Symlinks or Junctions High
CVE-2026-34604 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions High
CVE-2026-34603 was published for @tinacms/graphql (npm) Apr 1, 2026
offset Credited to offset
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion High
CVE-2026-34601 was published for @xmldom/xmldom (npm) Apr 1, 2026
thesmartshadow Credited to thesmartshadow
Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash High
CVE-2026-34593 was published for ash (Erlang) Apr 1, 2026
fg0x0 Credited to fg0x0 and zachdaniel zachdaniel zachdaniel
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter" High
CVE-2026-34598 was published for yeswiki/yeswiki (Composer) Apr 1, 2026
kh0kamoni Credited to kh0kamoni
SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution High
CVE-2026-34585 was published for github.com/siyuan-note/siyuan/kernel (Go) Apr 1, 2026
ngocnn97 Credited to ngocnn97
TorchGeo Remote Code Execution Vulnerability High
CVE-2024-49048 was published for torchgeo (pip) Apr 1, 2026
zpbrent Credited to zpbrent, calebrob6, and adamjstewart calebrob6 calebrob6
adamjstewart adamjstewart
OpenClaw gateway exec allow-always over-trusts positional carrier executables High
GHSA-p4x4-2r7f-wjxg was published for openclaw (npm) Apr 1, 2026
nexrin Credited to nexrin
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset` High
GHSA-5r8f-96gm-5j6g was published for openclaw (npm) Apr 1, 2026
zpbrent Credited to zpbrent
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper High
GHSA-6pfc-6m7w-m8fx was published for openclaw (npm) Mar 31, 2026
LonggTeng Credited to LonggTeng
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing High
GHSA-6xg4-82hv-cp6f was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` High
GHSA-5h2w-qmfp-ggp6 was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure High
GHSA-jccr-rrw2-vc8h was published for openclaw (npm) Mar 31, 2026
nicky-cc Credited to nicky-cc
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database