Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

597 advisories

Loading
apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) High
CVE-2026-42575 was published for chainguard.dev/apko (Go) May 4, 2026
1seal Credited to 1seal and antitree antitree antitree
Dolibarr has Insufficient Verification of Data Authenticity Low
CVE-2026-7689 was published for dolibarr/dolibarr (Composer) May 3, 2026
Hickory DNS's Record Cache Accepts AUTHORITY-Section NS from Sibling Zone via Parent-Pool Zone-Context Elevation High
GHSA-83hf-93m4-rgwq was published for hickory-recursor (Rust) Apr 30, 2026
qifan-sailboat Credited to qifan-sailboat
OpenID Connect nonce generated but never validated — ID token replay attack Moderate
CVE-2026-42206 was published for roadiz/openid (Composer) Apr 29, 2026
athuljayaram Credited to athuljayaram
OpenClaw: Isolated cron awareness events were recorded as trusted system events Low
CVE-2026-44999 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Traefik's ForwardAuth trustForwardHeader=false allows spoofed X-Forwarded-Prefix to bypass authentication High
CVE-2026-35051 was published for github.com/traefik/traefik (Go) Apr 24, 2026
Zwique Credited to Zwique
New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud High
CVE-2026-41432 was published for github.com/QuantumNous/new-api (Go) Apr 24, 2026
Calcium-Ion Credited to Calcium-Ion, ChangeYu0229, and kainordherd ChangeYu0229 ChangeYu0229
kainordherd kainordherd
nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation Critical
CVE-2026-33471 was published for nimiq-block (Rust) Apr 22, 2026
1seal Credited to 1seal
OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input Moderate
CVE-2026-43534 was published for openclaw (npm) Apr 17, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server Moderate
GHSA-p7mm-r948-4q3q was published for @paperclipai/server (npm) Apr 16, 2026
offset Credited to offset
Defense in Depth update for NuGet Client Low
GHSA-g4vj-cjjj-v7hg was published for NuGet.CommandLine (NuGet) Apr 14, 2026
SP1 V6 Recursion Circuit Row-Count Binding Gap High
CVE-2026-40323 was published for sp1_prover (Rust) Apr 14, 2026
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering Low
CVE-2026-40109 was published for github.com/fluxcd/notification-controller (Go) Apr 10, 2026
saroj345 Credited to saroj345
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects High
CVE-2026-40037 was published for openclaw (npm) Apr 9, 2026
BG0ECV Credited to BG0ECV
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header Moderate
CVE-2026-39411 was published for @lobehub/lobehub (npm) Apr 8, 2026
13ernkastel Credited to 13ernkastel
sm1ee Credited to sm1ee, ioquatix, and jeremyevans ioquatix ioquatix
jeremyevans jeremyevans
offset Credited to offset
OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter High
CVE-2026-34511 was published for openclaw (npm) Apr 4, 2026
BG0ECV Credited to BG0ECV
fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation) High
CVE-2026-35042 was published for fast-jwt (npm) Apr 3, 2026
dmbs335 Credited to dmbs335
ProTip! Advisories are also available from the GraphQL API