Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
442
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

257 advisories

Loading
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor High
GHSA-w937-fg2h-xhq2 was published for locize (npm) Apr 22, 2026
A vulnerability was found in ericc-ch copilot-api up to 0.7.0. The impacted element is the... Moderate Unreviewed
CVE-2026-6662 was published Apr 20, 2026
pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) Moderate
CVE-2026-40594 was published for pyload-ng (pip) Apr 16, 2026
offset Credited to offset
WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses High
GHSA-ff5q-cc22-fgp4 was published for wwbn/avideo (Composer) Apr 14, 2026
offset Credited to offset
A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. Affected by this issue... Moderate Unreviewed
CVE-2026-6143 was published Apr 13, 2026
Insufficient policy enforcement in History Navigation in Google Chrome prior to 147.0.7727.55... Moderate Unreviewed
CVE-2026-5899 was published Apr 9, 2026
Inappropriate implementation in Navigation in Google Chrome prior to 147.0.7727.55 allowed a... Moderate Unreviewed
CVE-2026-5918 was published Apr 9, 2026
Java-SDK has a DNS Rebinding Vulnerability High
CVE-2026-35568 was published for io.modelcontextprotocol.sdk:mcp-core (Maven) Apr 7, 2026
JLLeitschuh Credited to JLLeitschuh
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim Low
CVE-2026-37977 was published for org.keycloak:keycloak-services (Maven) Apr 6, 2026
Directus: Missing Cross-Origin Opener Policy High
CVE-2026-35408 was published for directus (npm) Apr 4, 2026
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow Moderate
CVE-2026-34083 was published for signalk-server (npm) Apr 3, 2026
VashuVats Credited to VashuVats
OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration High
GHSA-q9w8-cf67-r238 was published for openclaw (npm) Apr 3, 2026
nexrin Credited to nexrin and KeenSecurityLab KeenSecurityLab KeenSecurityLab
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode Moderate
GHSA-mhr7-2xmv-4c4q was published for openclaw (npm) Apr 3, 2026
AntAISecurityLab Credited to AntAISecurityLab
Electron: Incorrect origin passed to permission request handler for iframe requests Moderate
CVE-2026-34777 was published for electron (npm) Apr 3, 2026
A flaw has been found in vanna-ai vanna up to 2.0.2. Affected by this issue is some unknown... Moderate Unreviewed
CVE-2026-5321 was published Apr 2, 2026
GraphQL API endpoint ignores CORS origin restriction Moderate
CVE-2026-34373 was published for parse-server (npm) Mar 30, 2026
mtrezza Credited to mtrezza
HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect High
CVE-2026-34359 was published for ca.uhn.hapi.fhir:org.hl7.fhir.core (Maven) Mar 30, 2026
offset Credited to offset
@grackle-ai/server has Missing WebSocket Origin Header Validation High
GHSA-w3hv-x4fp-6h6j was published for @grackle-ai/server (npm) Mar 25, 2026
HCL Traveler is susceptible to a weak default HTTP header validation vulnerability, which could... Moderate Unreviewed
CVE-2026-21790 was published Mar 24, 2026
Improper Authentication and Origin Validation Error in pyload-ng Moderate
CVE-2026-33314 was published for pyload-ng (pip) Mar 19, 2026
Jaynornj Credited to Jaynornj and Pr00fOf3xpl0it Pr00fOf3xpl0it Pr00fOf3xpl0it
Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation High
CVE-2026-33002 was published for org.jenkins-ci.main:jenkins-core (Maven) Mar 18, 2026
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers High
CVE-2026-32634 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding Moderate
CVE-2026-32632 was published for Glances (pip) Mar 16, 2026
offset Credited to offset
Mattermost allows attackers to spoof permalink embeds Moderate
CVE-2026-2457 was published for github.com/mattermost/mattermost-server (Go) Mar 16, 2026
OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode High
CVE-2026-32302 was published for openclaw (npm) Mar 12, 2026
yianworks Credited to yianworks
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database