Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
3,193
Erlang
25
GitHub Actions
39
Go
2,385
Maven
3,027
npm
3,078
NuGet
529
pip
2,897
Pub
5
RubyGems
444
Rust
905
Swift
20
Unreviewed advisories
All unreviewed
5,000+

1,261 advisories

Loading
RAGAS has SSRF via Multi-Modal Faithfulness Collections Module Low
CVE-2026-6587 was published for ragas (pip) Apr 20, 2026
rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length Low
CVE-2026-41677 was published for openssl (Rust) Apr 22, 2026
pgx: SQL Injection via placeholder confusion with dollar quoted string literals Low
GHSA-j88v-2chj-qfwx was published for github.com/jackc/pgx (Go) Apr 22, 2026
Rand is unsound with a custom logger using rand::rng() Low
GHSA-cq8v-f236-94qc was published for rand (Rust) Apr 14, 2026
simonhollingshead Credited to simonhollingshead, ShoyuVanilla, and nbagnard ShoyuVanilla ShoyuVanilla
nbagnard nbagnard
nimiq-transaction: Panic via `HistoryTreeProof` length mismatch Low
CVE-2026-34067 was published for nimiq-transaction (Rust) Apr 22, 2026
1seal Credited to 1seal and paberr paberr paberr
Apache Airflow Exposes Secrets in Variables Saved as JSON Dictionaries Low
CVE-2026-32690 was published for apache-airflow-core (pip) Apr 18, 2026
Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4 Low
CVE-2026-41140 was published for poetry (pip) Apr 22, 2026
kodareef5 Credited to kodareef5 and radoering radoering radoering
OpenClaw: Delivery queue recovery could lose group tool-policy context for media replay Low
GHSA-r77c-2cmr-7p47 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets Low
GHSA-fqrj-m88p-qf3v was published for openclaw (npm) Apr 7, 2026
nexrin Credited to nexrin, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation Low
CVE-2026-40264 was published for github.com/openbao/openbao (Go) Apr 21, 2026
Zwique Credited to Zwique
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS) Low
CVE-2026-39396 was published for github.com/openbao/openbao (Go) Apr 21, 2026
n1rwhex Credited to n1rwhex
OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate Low
CVE-2026-39388 was published for github.com/openbao/openbao (Go) Apr 21, 2026
jmecom Credited to jmecom
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Low
CVE-2026-29179 was published for october/system (Composer) Apr 21, 2026
October CMS: Reflected XSS via DataTable Form Widget Low
CVE-2026-27937 was published for october/system (Composer) Apr 21, 2026
daftspunk Credited to daftspunk
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
CVE-2026-35624 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
Duplicate Advisory: OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
GHSA-5f7h-p83x-5vc2 was published for openclaw (npm) Apr 10, 2026 withdrawn
Zio has SubFileSystem Path Confinement Bypass via Unresolved `..` Segment Low
GHSA-h39g-6x3c-7fq9 was published for Zio (NuGet) Apr 18, 2026
SUT0L Credited to SUT0L
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
CVE-2026-35617 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
Duplicate Advisory: OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
GHSA-j42q-r6qx-xrfp was published for openclaw (npm) Apr 10, 2026 withdrawn
Kimai: Username enumeration via timing on X-AUTH-USER Low
GHSA-jrc6-fmhw-fpq2 was published for kimai/kimai (Composer) Apr 17, 2026
melnicek Credited to melnicek
OpenClaw: Microsoft Teams SSO invoke handler missed sender authorization checks Low
GHSA-gc9r-867r-j85f was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Neo4j Labs MCP Servers: SSRF and Data Modification via read_only Mode Bypass Through CALL Procedures Low
CVE-2026-35402 was published for mcp-neo4j-cypher (pip) Apr 17, 2026
yotampe-pluto Credited to yotampe-pluto
langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding Low
GHSA-r7w7-9xr2-qq2r was published for langchain-openai (pip) Apr 16, 2026
deprrous Credited to deprrous
Plonky3: The sponge construction used to get a hash function from a cryptographic permutation is not collision resistant for inputs of different lengths Low
GHSA-3g92-f9ch-qjcm was published for p3-symmetric (Rust) Apr 16, 2026
OpenClaw: TOCTOU read in exec script preflight Low
GHSA-gj9q-8w99-mp8j was published for openclaw (npm) Apr 16, 2026
kikayli Credited to kikayli
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database